geovisio 2.10.0__py3-none-any.whl → 2.11.0__py3-none-any.whl

geovisio/web/docs.py

@@ -394,6 +394,7 @@ The CSV headers will be:
                             "geovisio:sorted-by": {"$ref": "#/components/schemas/GeoVisioCollectionSortedBy"},
                             "geovisio:upload-software": {"$ref": "#/components/schemas/GeoVisioCollectionUploadSoftware"},
                             "geovisio:length_km": {"$ref": "#/components/schemas/GeoVisioLengthKm"},
+                            "geovisio:visibility": {"$ref": "#/components/schemas/GeoVisioVisibility"},
                             "quality:horizontal_accuracy": {"type": "number", "title": "Estimated GPS position precision (in meters)"},
                             "quality:horizontal_accuracy_type": {
                                 "type": "string",
@@ -496,6 +497,7 @@ The CSV headers will be:
                                         "minimum": 1,
                                         "title": "Rank of the picture in its collection.",
                                     },
+                                    "geovisio:visibility": {"$ref": "#/components/schemas/GeoVisioVisibility"},
                                     "original_file:size": {"type": "integer", "minimum": 0, "title": "Size of the original file, in bytes"},
                                     "original_file:name": {"type": "string", "title": "Original file name"},
                                     "panoramax:horizontal_pixel_density": {
@@ -655,7 +657,15 @@ Available properties are:
             },
             "GeoVisioItemStatus": {
                 "type": "string",
-                "enum": ["ready", "broken", "waiting-for-process"],
+                "enum": ["ready", "broken", "waiting-for-process", "pouet"],
+            },
+            "GeoVisioVisibility": {
+                "type": "string",
+                "description": """Visibility of the object. Can be set to:
+    * `anyone`: visible to anyone
+    * `owner-only`: visible to the owner and administrator only
+    * `logged-only`: visible to logged users only. Note that this is not available on all Panoramax instances, only those with restricted account creation. See the possible visibility values for a given instance on /api/configuration (field `visibility`).""",
+                "enum": ["anyone", "owner-only", "logged-only"],
             },
             "GeoVisioPostReport": reports.ReportCreationParameter.model_json_schema(
                 ref_template="#/components/schemas/GeoVisioPostReport/$defs/{model}", mode="serialization"
@@ -938,7 +948,8 @@ A CQL2 filter expression for filtering sequences.
 Allowed properties are:
  * "created": upload date
  * "updated": last edit date
- * "status": status of the sequence. Can either be "ready" (for collections ready to be served) or "deleted"  for deleted collection. By default, only the "ready" collections will be shown.
+
+Note: the `status` filter is not supported anymore, use the `show_deleted` parameter instead if you need to query deleted collections
 
 Usage doc can be found here: https://docs.geoserver.org/2.23.x/en/user/tutorials/cql/cql_tutorial.html
 
@@ -1009,7 +1020,7 @@ Note that this parameter is not taken in account for 360° pictures, as by defin
                 "description": """Define the sort order of the results of a search. 
 Sort order is defined based on preceding '+' (asc) or '-' (desc).
 
-By default we sort to get the last updated pictures firstn (-updated).
+By default we sort to get the last updated pictures first (-updated).
 
 Available properties are:
 * `ts`: capture datetime of the picture
@@ -1037,11 +1048,14 @@ For the moment only equality (`=`) and list (`IN`) filters are supported. We do
 
 To search for any values of a semantic tag, use `semantics.some_key IS NOT NULL` (case matter here).
 
+To search for items with any semantic tags, use `"semantics" IS NOT NULL`.
+
 Examples:
 
 * "semantics.osm|traffic_sign"='yes'
 * "semantics.osm|traffic_sign" IS NOT NULL'
 * "semantics.osm|amenity" IN ('bench', 'whatever') OR "semantics.osm|traffic_sign"='yes'
+* "semantics" IS NOT NULL
 """,
                 "required": False,
                 "schema": {

geovisio/web/items.py

@@ -5,8 +5,7 @@ import os
 from typing import Dict, List, Optional, Any
 from urllib.parse import unquote
 from psycopg.types.json import Jsonb
-from pydantic import BaseModel, ConfigDict, ValidationError, field_validator, model_validator
-from shapely import intersects
+from pydantic import BaseModel, ValidationError, field_validator, model_validator
 from werkzeug.datastructures import MultiDict
 from uuid import UUID
 from geovisio import errors, utils
@@ -30,13 +29,15 @@ from geovisio.web.params import (
     parse_lonlat,
     parse_distance_range,
     parse_picture_heading,
+    Visibility,
+    check_visibility,
 )
 from geovisio.utils.fields import Bounds, SQLDirection
 import hashlib
 from psycopg.rows import dict_row
 from psycopg.sql import SQL
 from geovisio.web.utils import (
-    accountIdOrDefault,
+    accountOrDefault,
     cleanNoneInList,
     dbTsToStac,
     dbTsToStacTZ,
@@ -49,12 +50,18 @@ from flask import current_app, request, url_for, Blueprint
 from flask_babel import gettext as _, get_locale
 from geopic_tag_reader.writer import writePictureMetadata, PictureMetadata
 import sentry_sdk
-import math
 
 
 bp = Blueprint("stac_items", __name__, url_prefix="/api")
 
 
+def retrocompatible_picture_status(db_pic):
+    """We used to display status='hidden' for hidden picture, now that the status and the visiblity has been split, we still return a 'ready' status for retrocompatibility"""
+    if db_pic.get("status") == "hidden":
+        return "ready"
+    return db_pic.get("status")
+
+
 def dbPictureToStacItem(dbPic):
     """Transforms a picture extracted from database into a STAC Item
 
@@ -143,14 +150,15 @@ def dbPictureToStacItem(dbPic):
                     ),
                     "pers:pitch": dbPic["metadata"].get("pitch"),
                     "pers:roll": dbPic["metadata"].get("roll"),
-                    "geovisio:status": dbPic.get("status"),
+                    "geovisio:status": retrocompatible_picture_status(dbPic),
+                    "geovisio:visibility": dbPic.get("visibility"),
                     "geovisio:producer": dbPic["account_name"],
                     "geovisio:rank_in_collection": dbPic["rank"],
                     "original_file:size": dbPic["metadata"].get("originalFileSize"),
                     "original_file:name": dbPic["metadata"].get("originalFileName"),
                     "panoramax:horizontal_pixel_density": dbPic.get("h_pixel_density"),
-                    "geovisio:image": _getHDJpgPictureURL(dbPic["id"], dbPic.get("status")),
-                    "geovisio:thumbnail": _getThumbJpgPictureURL(dbPic["id"], dbPic.get("status")),
+                    "geovisio:image": _getHDJpgPictureURL(dbPic["id"], dbPic.get("visibility")),
+                    "geovisio:thumbnail": _getThumbJpgPictureURL(dbPic["id"], dbPic.get("visibility")),
                     "exif": removeNoneInDict(cleanupExif(dbPic["exif"])),
                     "quality:horizontal_accuracy": float("{:.1f}".format(dbPic["gps_accuracy_m"])) if dbPic.get("gps_accuracy_m") else None,
                     "semantics": [s for s in dbPic.get("semantics") or [] if s],
@@ -185,21 +193,21 @@ def dbPictureToStacItem(dbPic):
                     "description": "Highest resolution available of this picture",
                     "roles": ["data"],
                     "type": "image/jpeg",
-                    "href": _getHDJpgPictureURL(dbPic["id"], status=dbPic.get("status")),
+                    "href": _getHDJpgPictureURL(dbPic["id"], visibility=dbPic.get("visibility")),
                 },
                 "sd": {
                     "title": "SD picture",
                     "description": "Picture in standard definition (fixed width of 2048px)",
                     "roles": ["visual"],
                     "type": "image/jpeg",
-                    "href": _getSDJpgPictureURL(dbPic["id"], status=dbPic.get("status")),
+                    "href": _getSDJpgPictureURL(dbPic["id"], visibility=dbPic.get("visibility")),
                 },
                 "thumb": {
                     "title": "Thumbnail",
                     "description": "Picture in low definition (fixed width of 500px)",
                     "roles": ["thumbnail"],
                     "type": "image/jpeg",
-                    "href": _getThumbJpgPictureURL(dbPic["id"], status=dbPic.get("status")),
+                    "href": _getThumbJpgPictureURL(dbPic["id"], visibility=dbPic.get("visibility")),
                 },
             },
             "collection": str(seqId),
@@ -277,7 +285,7 @@ def dbPictureToStacItem(dbPic):
                 "description": "Highest resolution available of this picture, as tiles",
                 "roles": ["data"],
                 "type": "image/jpeg",
-                "href": _getTilesJpgPictureURL(dbPic["id"], status=dbPic.get("status")),
+                "href": _getTilesJpgPictureURL(dbPic["id"], visibility=dbPic.get("visibility")),
             }
         }
 
@@ -366,9 +374,10 @@ def getCollectionItems(collectionId):
 
     filters = [
         SQL("sp.seq_id = %(seq)s"),
-        SQL("(p.status = 'ready' OR p.account_id = %(account)s)"),
-        SQL("(is_sequence_visible_by_user(s, %(account)s))"),
+        SQL("(p.preparing_status = 'prepared' OR p.account_id = %(account)s)"),
     ]
+    if account is None or not account.can_see_all():
+        filters.append(SQL("(is_picture_visible_by_user(p, %(account)s))"))
 
     # Check if limit is valid
     sql_limit = SQL("")
@@ -407,7 +416,7 @@ def getCollectionItems(collectionId):
                 + (", MAX(sp.rank) AS max_rank, MIN(sp.rank) AS min_rank " if paginated else "")
                 + "FROM sequences s "
                 + ("LEFT JOIN sequences_pictures sp ON sp.seq_id = s.id " if paginated else "")
-                + "WHERE s.id = %(seq)s AND (is_sequence_visible_by_user(s, %(account)s)) "
+                + "WHERE s.id = %(seq)s AND (s.status = 'ready' OR s.account_id = %(account)s) AND is_sequence_visible_by_user(s, %(account)s) AND s.status != 'deleted'"
                 + ("GROUP BY s.id" if paginated else ""),
                 params,
             ).fetchone()
@@ -436,29 +445,36 @@ def getCollectionItems(collectionId):
                 params["start_after_rank"] = rank
 
             query = SQL(
-                """
-                SELECT
-                    p.id, p.ts, p.heading, p.metadata, p.inserted_at, p.updated_at, p.status,
+                """SELECT
+                    p.id, p.ts, p.heading, p.metadata, p.inserted_at, p.updated_at, p.status, p.visibility,
                     ST_AsGeoJSON(p.geom)::json AS geojson,
                     a.name AS account_name,
                     p.account_id AS account_id,
                     sp.seq_id, sp.rank, p.exif, p.gps_accuracy_m, p.h_pixel_density,
-                    CASE WHEN LAG(p.status) OVER othpics = 'ready' THEN LAG(p.id) OVER othpics END AS prevpic,
-                    CASE WHEN LAG(p.status) OVER othpics = 'ready' THEN ST_AsGeoJSON(LAG(p.geom) OVER othpics)::json END AS prevpicgeojson,
-                    CASE WHEN LEAD(p.status) OVER othpics = 'ready' THEN LEAD(p.id) OVER othpics END AS nextpic,
-                    CASE WHEN LEAD(p.status) OVER othpics = 'ready' THEN ST_AsGeoJSON(LEAD(p.geom) OVER othpics)::json END AS nextpicgeojson,
+                    CASE WHEN LAG(is_picture_visible_by_user(p, %(account)s)) OVER othpics THEN LAG(p.id) OVER othpics END AS prevpic,
+                    CASE WHEN LAG(is_picture_visible_by_user(p, %(account)s)) OVER othpics THEN ST_AsGeoJSON(LAG(p.geom) OVER othpics)::json END AS prevpicgeojson,
+                    CASE WHEN LEAD(is_picture_visible_by_user(p, %(account)s)) OVER othpics THEN LEAD(p.id) OVER othpics END AS nextpic,
+                    CASE WHEN LEAD(is_picture_visible_by_user(p, %(account)s)) OVER othpics THEN ST_AsGeoJSON(LEAD(p.geom) OVER othpics)::json END AS nextpicgeojson,
                     get_picture_semantics(p.id) as semantics,
-                    get_picture_annotations(p.id) as annotations
+                    get_picture_annotations(p.id) as annotations,
+                    COALESCE(seq_sem.semantics, '[]'::json) AS sequence_semantics
                 FROM sequences_pictures sp
                 JOIN pictures p ON sp.pic_id = p.id
                 JOIN accounts a ON a.id = p.account_id
                 JOIN sequences s ON s.id = sp.seq_id
+                LEFT JOIN (
+                    SELECT sequence_id, json_agg(json_strip_nulls(json_build_object(
+                        'key', key,
+                        'value', value
+                    )) ORDER BY key, value) AS semantics
+                    FROM sequences_semantics
+                    GROUP BY sequence_id
+                ) seq_sem ON seq_sem.sequence_id = s.id
                 WHERE
                     {filter}
                 WINDOW othpics AS (PARTITION BY sp.seq_id ORDER BY sp.rank)
                 ORDER BY rank
-                {limit}
-                """
+                {limit}"""
             ).format(filter=SQL(" AND ").join(filters), limit=sql_limit)
 
             records = cursor.execute(query, params)
@@ -578,20 +594,31 @@ def getCollectionItems(collectionId):
 def _getPictureItemById(itemId: UUID, account: Optional[Account]):
     """Get a picture metadata by its ID"""
     with current_app.pool.connection() as conn:
+        perm_filter = SQL("")
+        if account is not None and account.can_see_all():
+            # admins can see all pictures, regardless of their visibility
+            perm_filter = SQL("TRUE")
+        else:
+            perm_filter = SQL(
+                """(p.account_id = %(acc)s OR p.status != 'hidden') -- for retrocompabitilty, we can drop this filter once database have migrated all hidden pictures
+    AND (is_picture_visible_by_user(p, %(acc)s))
+    AND (s.status != 'hidden' OR s.account_id = %(acc)s) -- same, we can drop this later (and replace it with `s.status = 'ready'`)
+    AND is_sequence_visible_by_user(s, %(acc)s)"""
+            )
+
         with conn.cursor(row_factory=dict_row) as cursor:
-            # Check if there is a logged user
-            account = auth.get_current_account()
-            accountId = account.id if account else None
 
             # Get rank + position of wanted picture
             record = cursor.execute(
-                """WITH seq AS (
+                SQL(
+                    """WITH seq AS (
                     SELECT seq_id FROM sequences_pictures WHERE pic_id = %(pic)s LIMIT 1
                 )
                 SELECT
                     p.id, sp.seq_id, sp.rank, ST_AsGeoJSON(p.geom)::json AS geojson, p.heading, p.ts, p.metadata,
-                    p.inserted_at, p.updated_at, p.status, accounts.name AS account_name,
-                    p.account_id AS account_id,
+                    p.inserted_at, p.updated_at, p.status,
+                    accounts.name AS account_name, p.account_id AS account_id,
+                    p.visibility, 
                     spl.prevpic, spl.prevpicgeojson, spl.nextpic, spl.nextpicgeojson, p.exif,
                     relp.related_pics, p.gps_accuracy_m, p.h_pixel_density,
                     get_picture_semantics(p.id) as semantics,
@@ -612,7 +639,7 @@ def _getPictureItemById(itemId: UUID, account: Optional[Account]):
                     JOIN sequences_pictures sp ON p.id = sp.pic_id
                     WHERE
                         sp.seq_id IN (SELECT seq_id FROM seq)
-                        AND (p.account_id = %(acc)s OR p.status != 'hidden')
+                        AND (is_picture_visible_by_user(p, %(acc)s) AND p.preparing_status = 'prepared')
                     WINDOW othpics AS (PARTITION BY sp.seq_id ORDER BY sp.rank)
                 ) spl ON p.id = spl.id
                 LEFT JOIN (
@@ -662,11 +689,12 @@ def _getPictureItemById(itemId: UUID, account: Optional[Account]):
                 ) seq_sem ON seq_sem.sequence_id = s.id
                 WHERE sp.seq_id IN (SELECT seq_id FROM seq)
                     AND p.id = %(pic)s
-                    AND (p.account_id = %(acc)s OR p.status != 'hidden')
-                    AND (s.status != 'hidden' OR s.account_id = %(acc)s)
+                    -- TODO Should we show non prepared items to all ? AND (p.account_id = %(acc)s OR p.preparing_status = 'prepared')
+                    AND {perm_filter}
                     AND s.status != 'deleted'
-                """,
-                {"pic": itemId, "acc": accountId},
+                """
+                ).format(perm_filter=perm_filter),
+                {"pic": itemId, "acc": account.id if account is not None else None},
             ).fetchone()
 
             if record is None:
@@ -763,9 +791,12 @@ def searchItems():
 
     account = auth.get_current_account()
     accountId = account.id if account is not None else None
-    sqlWhere = [SQL("(p.status = 'ready' OR p.account_id = %(account)s)"), SQL("(is_sequence_visible_by_user(s, %(account)s))")]
+    sqlWhere = [
+        SQL("(p.status = 'ready' AND is_picture_visible_by_user(p, %(account)s))"),
+        SQL("(s.status = 'ready' AND is_sequence_visible_by_user(s, %(account)s))"),
+    ]
     sqlParams: Dict[str, Any] = {"account": accountId}
-    sqlSubQueryWhere = [SQL("(p.status = 'ready' OR p.account_id = %(account)s)")]
+    sqlSubQueryWhere = [SQL("(p.status = 'ready' AND is_picture_visible_by_user(p, %(account)s))")]
 
     #
     # Parameters parsing and verification
@@ -1172,7 +1203,7 @@ def postCollectionItem(collectionId, account=None):
                 raise errors.InvalidAPIUsage(_("The collection has been deleted, impossible to add pictures to it"), status_code=404)
 
             # Compute various metadata
-            accountId = accountIdOrDefault(account)
+            accountId = accountOrDefault(account).id
             raw_pic = picture.read()
             filesize = len(raw_pic)
 
@@ -1217,7 +1248,7 @@ def postCollectionItem(collectionId, account=None):
 
     # Return picture metadata
     return (
-        getCollectionItem(collectionId, picId)[0],
+        _getPictureItemById(picId, account=account),
         202,
         {
             "Content-Type": "application/json",
@@ -1233,7 +1264,21 @@ class PatchItemParameter(BaseModel):
     heading: Optional[int] = None
     """Heading of the picture. The new heading will not be persisted in the picture's exif tags for the moment."""
     visible: Optional[bool] = None
-    """Should the picture be publicly visible ?"""
+    """Should the picture be publicly visible ?
+    
+    This parameter is deprecated in favor of the finer grained `visibility` parameter.
+    `visible=true` is equivalent to `visibility=anyone`.
+    `visible=false` is equivalent to `visibility=logged-only`.
+    """
+    visibility: Optional[Visibility] = None
+    """Visibility of the sequence. Can be set to:
+    * `anyone`: the sequence is visible to anyone
+    * `owner-only`: the sequence is visible to the owner and administrator only
+    * `logged-only`: the sequence is visible to logged users only
+
+    This visibility can also be set for each picture individually, using the `visibility` field of the pictures.
+    If not set at the sequence level, it will default to the visibility of the `upload_set` and if not set the default visibility of the `account` and if not set the default visibility of the instance.
+    """
 
     capture_time: Optional[datetime] = None
     """Capture time of the picture. The new capture time will not be persisted in the picture's exif tags for the moment."""
@@ -1301,13 +1346,28 @@ class PatchItemParameter(BaseModel):
             raise errors.InvalidAPIUsage(_("Longitude cannot be overridden alone, latitude also needs to be set"))
         if self.longitude is None and self.latitude is not None:
             raise errors.InvalidAPIUsage(_("Latitude cannot be overridden alone, longitude also needs to be set"))
+        if self.visibility is not None and self.visible is not None:
+            raise errors.InvalidAPIUsage(_("Visibility and visible parameters are mutually exclusive parameters"))
+        # handle retrocompatibility on the visible parameter
+        if self.visible is not None:
+            self.visibility = Visibility.anyone if self.visible is True else Visibility.owner_only
         return self
 
     def has_only_semantics_updates(self):
         return self.model_fields_set == {"semantics"}
 
+    @field_validator("visibility", mode="after")
+    @classmethod
+    def validate_visibility(cls, visibility):
+        if not check_visibility(visibility):
+            raise errors.InvalidAPIUsage(
+                _("The logged-only visibility is not allowed on this instance since anybody can create an account"),
+                status_code=400,
+            )
+        return visibility
+
 
-def update_picture(itemId: UUID, account: Optional[Account]):
+def update_picture(itemId: UUID, account: Account):
     # Parse received parameters
     metadata = None
     content_type = (request.headers.get("Content-Type") or "").split(";")[0]
@@ -1327,16 +1387,23 @@ def update_picture(itemId: UUID, account: Optional[Account]):
     # Check if picture exists and if given account is authorized to edit
     with db.conn(current_app) as conn:
         with conn.transaction(), conn.cursor(row_factory=dict_row) as cursor:
-            pic = cursor.execute("SELECT status, account_id FROM pictures WHERE id = %s", [itemId]).fetchone()
+            pic = cursor.execute(
+                """SELECT p.visibility, p.account_id 
+                FROM pictures p
+                JOIN sequences_pictures sp ON sp.pic_id = p.id
+                JOIN sequences s ON s.id = sp.seq_id
+                WHERE p.id = %(id)s AND is_picture_visible_by_user(p, %(account)s) AND is_sequence_visible_by_user(s, %(account)s)""",
+                {"id": itemId, "account": account.id},
+            ).fetchone()
 
             # Picture not found
             if not pic:
                 raise errors.InvalidAPIUsage(_("Picture %(p)s wasn't found in database", p=itemId), status_code=404)
 
-            if account is not None and account.id != str(pic["account_id"]):
+            if not account.can_edit_item(str(pic["account_id"])):
                 # Account associated to picture doesn't match current user
                 # and we limit the status change to only the owner.
-                if metadata.visible is not None:
+                if metadata.visibility is not None:
                     raise errors.InvalidAPIUsage(
                         _("You're not authorized to edit the visibility of this picture. Only the owner can change this."), status_code=403
                     )
@@ -1352,24 +1419,14 @@ def update_picture(itemId: UUID, account: Optional[Account]):
             sqlParams = {"id": itemId, "account": account.id}
 
             # Let's edit this picture
-            oldStatus = pic["status"]
-            if oldStatus not in ["ready", "hidden"]:
-                # Picture is in a preparing/broken/... state so no edit possible
-                raise errors.InvalidAPIUsage(
-                    _(
-                        "Picture %(p)s is in %(s)s state, its visibility can't be changed for now",
-                        p=itemId,
-                        s=oldStatus,
-                    ),
-                    status_code=400,
-                )
+            oldVisibility = pic["visibility"]
 
-            newStatus = None
-            if metadata.visible is not None:
-                newStatus = "ready" if metadata.visible is True else "hidden"
-                if newStatus != oldStatus:
-                    sqlUpdates.append(SQL("status = %(status)s"))
-                    sqlParams["status"] = newStatus
+            newVisibility = None
+            if metadata.visibility is not None:
+                newVisibility = metadata.visibility.value
+                if newVisibility != oldVisibility:
+                    sqlUpdates.append(SQL("visibility = %(visibility)s"))
+                    sqlParams["visibility"] = newVisibility
 
             if metadata.heading is not None:
                 sqlUpdates.extend([SQL("heading = %(heading)s"), SQL("heading_computed = false")])
@@ -1457,12 +1514,12 @@ def patchCollectionItem(collectionId, itemId, account):
                     schema:
                         $ref: '#/components/schemas/GeoVisioItem'
     """
-    return update_picture(itemId, account)
+    return update_picture(itemId, account=account)
 
 
 @bp.route("/collections/<uuid:collectionId>/items/<uuid:itemId>", methods=["DELETE"])
 @auth.login_required()
-def deleteCollectionItem(collectionId, itemId, account):
+def deleteCollectionItem(collectionId: UUID, itemId: UUID, account: Account):
     """Delete an existing picture
     ---
     tags:
@@ -1498,7 +1555,7 @@ def deleteCollectionItem(collectionId, itemId, account):
                 raise errors.InvalidAPIUsage(_("Picture %(p)s wasn't found in database", p=itemId), status_code=404)
 
             # Account associated to picture doesn't match current user
-            if account is not None and account.id != str(pic[1]):
+            if not account.can_edit_item(str(pic[1])):
                 raise errors.InvalidAPIUsage(_("You're not authorized to edit this picture"), status_code=403)
 
             cursor.execute("DELETE FROM pictures WHERE id = %s", [itemId])
@@ -1509,29 +1566,29 @@ def deleteCollectionItem(collectionId, itemId, account):
     return "", 204
 
 
-def _getHDJpgPictureURL(picId: str, status: Optional[str]):
+def _getHDJpgPictureURL(picId: str, visibility: Optional[str]):
     external_url = utils.pictures.getPublicHDPictureExternalUrl(picId, format="jpg")
-    if external_url and status == "ready":  # we always serve non ready pictures through the API to be able to check permission:
+    if external_url and visibility == "anyone":  # we always serve non public pictures through the API to be able to check permission:
         return external_url
     return url_for("pictures.getPictureHD", _external=True, pictureId=picId, format="jpg")
 
 
-def _getSDJpgPictureURL(picId: str, status: Optional[str]):
+def _getSDJpgPictureURL(picId: str, visibility: Optional[str]):
     external_url = utils.pictures.getPublicDerivatePictureExternalUrl(picId, format="jpg", derivateFileName="sd.jpg")
-    if external_url and status == "ready":  # we always serve non ready pictures through the API to be able to check permission:
+    if external_url and visibility == "anyone":  # we always serve non public pictures through the API to be able to check permission:
         return external_url
     return url_for("pictures.getPictureSD", _external=True, pictureId=picId, format="jpg")
 
 
-def _getThumbJpgPictureURL(picId: str, status: Optional[str]):
+def _getThumbJpgPictureURL(picId: str, visibility: Optional[str]):
     external_url = utils.pictures.getPublicDerivatePictureExternalUrl(picId, format="jpg", derivateFileName="thumb.jpg")
-    if external_url and status == "ready":  # we always serve non ready pictures through the API to be able to check permission
+    if external_url and visibility == "anyone":  # we always serve non public pictures through the API to be able to check permission
         return external_url
     return url_for("pictures.getPictureThumb", _external=True, pictureId=picId, format="jpg")
 
 
-def _getTilesJpgPictureURL(picId: str, status: Optional[str]):
+def _getTilesJpgPictureURL(picId: str, visibility: Optional[str]):
     external_url = utils.pictures.getPublicDerivatePictureExternalUrl(picId, format="jpg", derivateFileName="tiles/{TileCol}_{TileRow}.jpg")
-    if external_url and status == "ready":  # we always serve non ready pictures through the API to be able to check permission:
+    if external_url and visibility == "anyone":  # we always serve non public pictures through the API to be able to check permission:
         return external_url
     return unquote(url_for("pictures.getPictureTile", _external=True, pictureId=picId, format="jpg", col="{TileCol}", row="{TileRow}"))