IDOR on ██████ via direct photo URL leads to unauthorized access to deleted and other users' photos

## Summary: An Insecure Direct Object Reference (IDOR) vulnerability exists in the application that allows unauthorized access to photos belonging to other users. The application does not properly validate whether the logged-in user is authorized to access a photo when accessing it via direct URL. This allows any authenticated user to view photos from other users' albums, including photos that have been deleted. ## Steps To Reproduce: **Account A:** 1. Create an album 2. Upload a photo 3. Note the direct image URL: `https://████████/remote.php/dav/photos/███████/albums/srk./10700342-1.jpeg` 4. Delete that photo 5. Save the URL for future reference **Account B:** 1. Copy the old image URL from Account A: `https://████/remote.php/dav/photos/████████/albums/srk./10700342-1.jpeg` 2. Paste it in the browser 3. The image loads successfully, even though Account B is a different user and the photo was deleted ## Supporting Material/References: * Vulnerable URL pattern: `https://████████/remote.php/dav/photos/[user_email]/albums/[album_name]/[photo_id]` * The photo was accessible despite being deleted and belonging to another account