Patrick Bass Area: Files/photos (re-run) (audit p5r) · Surface: /photos/album/{id} (PhotoGalleryController@update / upload) · Dimension: competitor-gap · Severity: minor
Mighty Networks, Circle, and every album UI let the owner pick which photo represents the album. Ours silently uses whatever happened to upload first, and the only way to change the cover is to delete the current first photo. The cover_item_id column and the my-albums grid that renders it (my-albums.php:44-47) are already there; just the picker is missing. This is the kind of small polish gap that makes our galleries feel half-finished next to a competitor's.
Evidence
The album.php controller docblock advertises a 'set as album cover' action (`POST /photos/item/{id}/cover`) but no such route exists in routes.php and no `cover` method exists in PhotoGalleryController. Cover is only auto-set to the earliest photo when NULL (PhotoGalleryController.php:420-440: `if (empty($album['cover_item_id'])) ... ORDER BY id ASC LIMIT 1`). update() (lines 220-241) only patches title/description/privacy — it never accepts cover_item_id.Suggested fix. Add a 'Set as cover' affordance on each lightbox/tile (owner-only) posting to POST /photos/item/{id}/cover, which validates ownership and writes photo_albums.cover_item_id. Add cover_item_id to the update() allowlist.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
