Changes have been made in Git (master):

commit 0adea289395196e67b49ea596a67370d2f68a340
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date:   Sat Sep 14 10:38:46 2013 -0400

     Bug: 12668 Ensure protected images don't leak into gallery thumbnails.

  ansel/lib/ImageGenerator.php |   34 +++++-----------------------------
  ansel/lib/Tile/Gallery.php   |   41 ++++++++++++++++++++++++++++++++++-------
  2 files changed, 39 insertions(+), 36 deletions(-)

http://git.horde.org/horde-git/-/commit/0adea289395196e67b49ea596a67370d2f68a340

Not going to put image previews in the session for a variety of 
reasons. Not the least of which is these images are very expensive to 
generate.

Instead, if the gallery contains no images, instead of generating a 
new thumbnail image for the parent gallery using images from the sub 
galleries, we just pick one of the sub galleries and use the already 
existing thumbnail. If the user doesn't have Horde_Perms::READ on the 
sub gallery, it won't be available for choosing.

Changes have been made in Git (master):

commit 3e394d4cd21ef015106ef36c365128d8b736a1f7
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date:   Sat Sep 14 10:38:46 2013 -0400

     Bug: 12668 Ensure protected images don't leak into gallery thumbnails.

  ansel/lib/ImageGenerator.php |   34 +++++-----------------------------
  ansel/lib/Tile/Gallery.php   |   41 ++++++++++++++++++++++++++++++++++-------
  2 files changed, 39 insertions(+), 36 deletions(-)

http://git.horde.org/horde-git/-/commit/3e394d4cd21ef015106ef36c365128d8b736a1f7

in my case i first created all galleries without permissions for any 
user only full permissions for me. then i filled the sub galleries 
with pictures. the i gave  a group read and show permission for the 
main but not any permission for any sub gallerie

so what i understand from your explanation is that when the thumbnails 
is generated for the main gallerie it is generated from the view that 
the user has that is  triggering the generation.

perhaps these pictures should be some sort of session cached instead 
of persisted for all useres so they are generated once for a session 
and every user has the right view with respecting the permissions

Scratch this. If there are no sub-galleries than this isn't an issue 
since we simply turn-off the key-image when we have SHOW but not READ.

This happens when:

1) The "private" sub gallery has SHOW perms, but not READ perms.

2) The parent gallery has READ permissions, but not enough images in 
it to generate a key-image thumbnail so we look in the sub galleries 
that are readable *for the currently logged in user*. If the currently 
logged in user has READ on the sub galleries when the key-image 
thumbnail is generated the image could possible include a "private" 
image.

3) A user with SHOW, but not READ on the private gallery logs in. 
Since the parent gallery's thumbnail was already generated, it is used 
as is.

For the record, this will be an issue even if a gallery does not 
contain any sub galleries. This key point is that the key-image 
thumbnail may be generated by a user that has less restrictive 
permissions than the current user viewing the gallery.

Really not sure how to fix this since we are not going to generate 
these thumbnails on each page load, and we don't currently have 
image-level permissions.

Thoughts?

i have a gallery with many sub gallerys but no photos in it. all 
subgallerys are filled with the photos. when i now give a user the 
read and show permission for the top gallery the preview for this user 
shows some photos of the sub gallerys where the user has no permission 
to read or show pictures from. the preview of the top gallery looks 
like stack of polaroids like the preview of one of the previews of the 
sub galleries (in my case the first one when sortet alphabetically). 
from my point of view there shouldn't be noting displayed as preview 
in that case, or the preview of the first readable gallery for that user