Usage photo privacy

What it is

A member attaches a photo to a usage log (e.g. a Hobbs reading, a receipt). Photos are stored privately. Whether another member can see the photo depends on three things:

Who they are (uploader, admin/owner, or ordinary member).
The syndicate’s “Share usage photos” setting.
Whether they have an active, valid signed URL (URLs expire after 15 minutes).

Who can use it

Any member can upload a photo to their own log.
Admins and owners always see all photos in their syndicate.
Members see photos on their own logs, and see others’ photos only when “Share usage photos” is on.

Where to find it

The setting lives at Syndicate settings → Privacy & Visibility (/syndicates/:syndicateId/settings/privacy), labelled Share usage photos with all members.
The setting is stored on the syndicate as share_usage_photos (boolean).

Fields / options

Field	Type	Default	Who can change
Share usage photos with all members	Toggle	Off	Admins and owners

The toggle saves immediately on change — there is no separate “Save” step.

Behaviour rules

The viewer can see a photo when any of these is true:

They are the uploader (the user ID on the log matches theirs).
They are an admin or owner of the syndicate.
The syndicate’s Share usage photos setting is on.

Otherwise the photo is hidden from that member — the slot renders empty, not a locked icon.

Implementation detail:

Photos live in a private storage bucket.
The app generates a short-lived signed URL (15 minutes) at display time — never a permanent public URL.
The signed URL is only generated when the viewer is allowed to see the photo. A viewer who is not allowed never receives a URL, not even a hidden one.
Signed URLs cannot usefully be shared — they expire.

Changes to the setting take effect immediately for the next signed URL. Already-open photo viewers in other sessions still show the image until their 15-minute URL expires.