Insufficient privilieges when opening the "Share album" dialog as a regular user

[nanawel]

Detailed description of the problem

As a regular user, I can no longer open the "Share album with users" dialog on an album I own.
I get the message error - insufficient privileges in the notification bar on top of the page, and the dialog opens but never list the users. I can see a 413 in the console when opening the developer tools.

The dialog works fine with the "admin" user.

It must be a recent regression because I've had this instance for several years now and it never did this. I'm using Docker and a script that automatically updates the image when a newer is available so I cannot tell exactly when this bug was introduced.

Steps to reproduce the issue

Steps to reproduce the behavior:

1. Log in as a regular user
2. Go to any of your albums
3. Click on the "Share album with users" in the top right
4. The dialog opens but never lists the users

Screenshots

Output of the diagnostics

    Diagnostics
    -------
    Warning: Dropbox import not working. dropbox_key is empty.
    Error: APP_URL does not match the current url. This will break WebAuthn authentication. Please update APP_URL to reflect this change.
    Warning: Default timezone not properly set; you might experience strange results when importing photos without explicit EXIF timezone
    Warning: git (software) is not available.




    System Information
    --------------
    Lychee Version (git):                    ?? (a87d2e2) -- Could not compare.
    DB Version:                              4.13.0
    
    composer install:                        --no-dev
    APP_ENV:                                 production
    APP_DEBUG:                               false
    
    System:                                  Linux
    PHP Version:                             8.2.7
    PHP User agent:                          Lychee/4 (https://lycheeorg.github.io/)
    Timezone:                                UTC
    Max uploaded file size:                  1G
    Max post size:                           1G
    Max execution time:                      3600
    SQLite Version:                          3.40.1
    
    exec() Available:                        yes
    Imagick Available:                       1
    Imagick Enabled:                         1
    Imagick Version:                         1691
    GD Version:                              2.3.3
    Number of foreign key:                   9 found.




    Config Information
    --------------
    version:                                 041300
    check_for_updates:                       0
    sorting_photos_col:                      taken_at
    sorting_photos_order:                    ASC
    sorting_albums_col:                      title
    sorting_albums_order:                    DESC
    imagick:                                 1
    skip_duplicates:                         0
    small_max_width:                         0
    small_max_height:                        360
    medium_max_width:                        1920
    medium_max_height:                       1080
    lang:                                    fr
    image_overlay_type:                      desc
    default_license:                         reserved
    compression_quality:                     90
    grants_full_photo_access:                1
    delete_imported:                         0
    mod_frame_enabled:                       1
    mod_frame_refresh:                       30
    thumb_2x:                                1
    small_2x:                                1
    medium_2x:                               1
    landing_page_enable:                     0
    site_owner:                              Anaël
    landing_title:                           John Smith
    landing_subtitle:                        
    sm_facebook_url:
    sm_flickr_url:                           
    sm_twitter_url:
    sm_instagram_url:
    sm_youtube_url:                          
    landing_background:                      dist/cat.webp
    site_title:                              Lychee
    footer_show_copyright:                   0
    site_copyright_begin:                    2019
    site_copyright_end:                      2019
    footer_additional_text:
    footer_show_social_media:                0
    public_search:                           0
    SL_enable:                               0
    SL_for_admin:                            0
    recent_age:                              1
    grants_download:                         0
    photos_wraparound:                       1
    map_display:                             0
    zip64:                                   1
    map_display_public:                      0
    map_provider:                            Wikimedia
    force_32bit_ids:                         0
    map_include_subalbums:                   0
    update_check_every_days:                 3
    has_exiftool:                            1
    share_button_visible:                    0
    import_via_symlink:                      0
    has_ffmpeg:                              1
    location_decoding:                       0
    location_decoding_timeout:               30
    location_show:                           1
    location_show_public:                    0
    rss_enable:                              0
    rss_recent_days:                         7
    rss_max_items:                           100
    prefer_available_xmp_metadata:           0
    editor_enabled:                          1
    lossless_optimization:                   0
    swipe_tolerance_x:                       150
    swipe_tolerance_y:                       250
    local_takestamp_video_formats:           .avi|.mov
    log_max_num_line:                        1000
    unlock_password_photos_with_url_param:   0
    nsfw_visible:                            1
    nsfw_blur:                               0
    nsfw_warning:                            0
    nsfw_warning_admin:                      0
    nsfw_banner_override:                    
    map_display_direction:                   1
    album_subtitle_type:                     oldstyle
    upload_processing_limit:                 4
    public_photos_hidden:                    1
    new_photos_notification:                 0
    legacy_id_redirection:                   1
    zip_deflate_level:                       6
    SA_enabled:                              1
    default_album_protection:                1
    album_decoration:                        layers
    album_decoration_orientation:            row
    allow_username_change:                   1
    auto_fix_orientation:                    1
    use_job_queues:                          0
    random_album_id:                         starred
    use_last_modified_date_when_no_exif_date: 0
    ffmpeg_path:                             /usr/bin/ffmpeg
    ffprobe_path:                            /usr/bin/ffprobe
    layout:                                  justified

The warning messages are quite disturbing since the APP_URL is defined in the .env file loaded via docker-compose, and the timezone is set at the same place with PHP_TZ.
I can confirm those values are present in the container using the env command in a shell.

Browser and system

Firefox 119.0.1