Skip to content

Metadata Leakage: Sidebar filters show values from restricted series within an accessible library #2225

New issue
New issue
Open
Open
Metadata Leakage: Sidebar filters show values from restricted series within an accessible library#2225
Labels
triage
@mslmn

Description

@mslmn
mslmn
opened on Feb 14, 2026

Steps to reproduce

  1. Create a library and give a user access to it.
  2. In that library, apply a specific sharing label (e.g., "Private") to one series and a different label (e.g., "Public") to another.
  3. Assign a specific Writer and Tag or Genre to the "Private" series (e.g., Writer: Top Secret Author, Genre: Secret Genre).
  4. Restrict the user's account so they can only view the "Public" label.
  5. Log in as that user and enter the library.
  6. Observe: Top Secret Author and Secret Genre are still visible and selectable in the filter sidebar/search, even though the series itself is hidden.

Expected behavior

Metadata filters should be dynamically pruned based on the specific items a user is authorised to see within a library.

  • Dynamic Visibility: If a user’s filtered view of a library (based on labels or age) contains zero series associated with a specific metadata value, that value should be hidden from the sidebar, search suggestions, and discovery elements.
  • Context-Aware Filters: The available filters should be a derivative of the visible content, not the total content of the library. If the series is hidden by a restriction, its "footprint" (writers, pencillers, tags, etc.) should also be hidden.

This is particularly important for multi-user setups where administrators may want to hide the existence of certain genres or publishers from restricted accounts (e.g., children or guest accounts) for privacy and a cleaner UX.

Actual behavior

While library-level permissions correctly hide metadata from unauthorised libraries, series-level restrictions (Label-based or Age-based) do not.

If a user has access to a library, the right side filter and search sidebar for that library "leaks" metadata from series they are restricted from seeing. This includes Genres, Tags, Publishers, Writers, Pencillers etc. This results in users seeing filter options that lead to empty results, exposing metadata they should not be able to view.

Example Scenario

  • The Setup: There is a library called Comics which User A has permission to access.
  • The Content: Series 1 in Comics has the label All Ages and the writer Jeff Smith.
  • Series 2 in Comics has the tag/genre Gore and the writer Matt Gardner.
  • The Restriction: User A is restricted to only see content with the All Ages label.
  • The Issue: When browsing the Comics library, User A correctly only sees Series 1. However, in the sidebar filters for that library, they can still see the Gore tag/genre and search for the writer Matt Gardner, even though this info is only associated with the restricted Series 2.

Logs

No response

Komga version

1.24.1

Operating system

macOS

Installation method

Docker

Other details

No response

Acknowledgements

  • I have searched the existing issues (open AND closed) and this is a new ticket, NOT a duplicate or related to another open issue.
  • I have written a short but informative title.
  • I have checked the FAQ.
  • I have updated the app to the latest version.
  • I will fill out all of the requested information in this form.

Metadata

Metadata

Assignees

No one assigned

    Labels

    triage

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions