[Bug]: Video playback fails (503) on publicly shared albums - null user ID in DAV URL #3442
Description
Bug description
When a Photos album is shared via public link and a visitor tries to play a video, the request fails with HTTP 503. Images in the same album work fine.
Steps to reproduce
- Create an album in the Photos app containing videos (mp4)
- Share the album via public link
- Open the public share URL in a browser (without being logged in)
- Try to play a video
Expected behavior
Video plays normally, same as when logged in.
Actual behavior
Video fails to load with HTTP 503. The browser makes requests to two URLs:
GET /public.php/dav/photospublic/{token}/video.mp4 → 503
GET /public.php/dav/files/null/{token}/video.mp4 → 503
Note the null user ID in the second URL — the Photos app cannot resolve the album owner when serving the request via a public share token, resulting in a broken DAV path.
The Nextcloud application log shows:
{
"level": 3,
"app": "no app in context",
"method": "GET",
"url": "/public.php/dav/photospublic/{token}/video.mp4",
"message": "Exception thrown: Sabre\\DAV\\Exception\\NotFound",
"exception": {
"Exception": "Sabre\\DAV\\Exception\\NotFound",
"Message": "",
"File": "/var/www/html/apps/dav/lib/Connector/Sabre/PublicAuth.php",
"Line": 133
}
}PublicAuth::checkToken() throws NotFound because album share tokens are not stored in the same share backend as regular file shares.
As a side effect, this triggers the brute-force protection, causing subsequent requests to be throttled (HTTP 429) even after the rate limit is reset.
Workaround
None found for album shares. Sharing the folder directly via the Files app (standard link share) works correctly for video streaming.
Environment
- Nextcloud version: 33.0.0
- Photos app version: 6.0.0-dev.0 (shipped with
nextcloud:33.0.0-apacheDocker image) - Reverse proxy: Traefik v3
- Browser: Chrome 145 (Linux)