Fix share access to attachments for notes protected by login:password

2025-12-04 14:34:24 +01:00 · 2025-11-21 19:52:22 +00:00 · 2025-11-21 19:52:22 +00:00 · 5d5fd2079a
commit 5d5fd2079a
parent c16eee79d4
8 changed files with 201 additions and 49 deletions
--- a/.gitignore
+++ b/.gitignore
@ -8,6 +8,7 @@ out-tsc
 # dependencies
 node_modules
 .pnpm-store
 # IDEs and editors
 /.idea
@ -18,6 +19,7 @@ node_modules
 *.launch
 .settings/
 *.sublime-workspace
 .devcontainer
 # misc
 /.sass-cache
--- a/README.md
+++ b/README.md
@ -146,6 +146,21 @@ Here's the language coverage we have so far:
 ### Code
 General (OS / docker / podman, etc.) dependencies: 
 Debian
 ```
 apt update
 apt install -y build-essential python3 make g++ libsqlite3-dev
 corepack enable
 ```
 Alpine
 ```
 apk add --no-cache build-base python3 python3-dev sqlite-dev
 corepack enable
 ```
 Download the repository, install dependencies using `pnpm` and then run the server (available at http://localhost:8080):
 ```shell
 git clone https://github.com/TriliumNext/Trilium.git
@ -154,6 +169,10 @@ pnpm install
 pnpm run server:start
 ```
 > If you faced with some problems, try to delete all `node_modules` and `.pnpm-store` folders, not only from the root, from every directory, like `apps/{app_name}/node_modules`and `/packages/{package_name}/node_modules` and then reinstall it by the `pnpm install`.
 Share styles not compiling by default, if you see share page without styles, make `pnpm run server:build` and then run development server.
 ### Documentation
 Download the repository, install dependencies using `pnpm` and then run the environment required to edit the documentation:
--- a/apps/server/src/share/content_renderer.ts
+++ b/apps/server/src/share/content_renderer.ts
@ -40,6 +40,13 @@ interface Subroot {
 type GetNoteFunction = (id: string) => SNote | BNote | null;
 function addContentAccessQuery(note: SNote | BNote, secondEl?:boolean) {
    if (!(note instanceof BNote) && note.contentAccessor && note.contentAccessor?.type === "query") {
        return secondEl ? `&cat=${note.contentAccessor.getToken()}` : `?cat=${note.contentAccessor.getToken()}`;
    }
    return ""
 }
 function getSharedSubTreeRoot(note: SNote | BNote | undefined): Subroot {
    if (!note || note.noteId === shareRoot.SHARE_ROOT_NOTE_ID) {
        // share root itself is not shared
@ -111,7 +118,7 @@ export function renderNoteContent(note: SNote) {
        cssToLoad.push(`assets/scripts.css`);
    }
    for (const cssRelation of note.getRelations("shareCss")) {
-        cssToLoad.push(`api/notes/${cssRelation.value}/download`);
+        cssToLoad.push(`api/notes/${cssRelation.value}/download${addContentAccessQuery(note)}`);
    }
    // Determine JS to load.
@ -119,11 +126,11 @@ export function renderNoteContent(note: SNote) {
        "assets/scripts.js"
    ];
    for (const jsRelation of note.getRelations("shareJs")) {
-        jsToLoad.push(`api/notes/${jsRelation.value}/download`);
+        jsToLoad.push(`api/notes/${jsRelation.value}/download${addContentAccessQuery(note)}`);
    }
    const customLogoId = note.getRelation("shareLogo")?.value;
-    const logoUrl = customLogoId ? `api/images/${customLogoId}/image.png` : `../${assetUrlFragment}/images/icon-color.svg`;
+    const logoUrl = customLogoId ? `api/images/${customLogoId}/image.png${addContentAccessQuery(note)}` : `../${assetUrlFragment}/images/icon-color.svg`;
    return renderNoteContentInternal(note, {
        subRoot,
@ -133,7 +140,7 @@ export function renderNoteContent(note: SNote) {
        logoUrl,
        ancestors,
        isStatic: false,
-        faviconUrl: note.hasRelation("shareFavicon") ? `api/notes/${note.getRelationValue("shareFavicon")}/download` : `../favicon.ico`
+        faviconUrl: note.hasRelation("shareFavicon") ? `api/notes/${note.getRelationValue("shareFavicon")}/download${addContentAccessQuery(note)}` : `../favicon.ico`
    });
 }
@ -158,6 +165,7 @@ function renderNoteContentInternal(note: SNote | BNote, renderArgs: RenderArgs)
        isEmpty,
        assetPath: shareAdjustedAssetPath,
        assetUrlFragment,
        addContentAccessQuery: (second: boolean | undefined) => addContentAccessQuery(note, second),
        showLoginInShareTheme,
        t,
        isDev,
@ -325,7 +333,7 @@ function renderText(result: Result, note: SNote | BNote) {
            }
            if (href?.startsWith("#")) {
-                handleAttachmentLink(linkEl, href, getNote, getAttachment);
+                handleAttachmentLink(linkEl, href, getNote, getAttachment, note);
            }
        }
@ -349,7 +357,7 @@ function renderText(result: Result, note: SNote | BNote) {
    }
 }
-function handleAttachmentLink(linkEl: HTMLElement, href: string, getNote: GetNoteFunction, getAttachment: (id: string) => BAttachment | SAttachment | null) {
+function handleAttachmentLink(linkEl: HTMLElement, href: string, getNote: GetNoteFunction, getAttachment: (id: string) => BAttachment | SAttachment | null, note: SNote | BNote) {
    const linkRegExp = /attachmentId=([a-zA-Z0-9_]+)/g;
    let attachmentMatch;
    if ((attachmentMatch = linkRegExp.exec(href))) {
@ -357,7 +365,7 @@ function handleAttachmentLink(linkEl: HTMLElement, href: string, getNote: GetNot
        const attachment = getAttachment(attachmentId);
        if (attachment) {
-            linkEl.setAttribute("href", `api/attachments/${attachmentId}/download`);
+            linkEl.setAttribute("href", `api/attachments/${attachmentId}/download${addContentAccessQuery(note)}`);
            linkEl.classList.add(`attachment-link`);
            linkEl.classList.add(`role-${attachment.role}`);
            linkEl.childNodes.length = 0;
@ -430,7 +438,7 @@ function renderMermaid(result: Result, note: SNote | BNote) {
    }
    result.content = `
-<img src="api/images/${note.noteId}/${note.encodedTitle}?${note.utcDateModified}">
+<img src="api/images/${note.noteId}/${note.encodedTitle}?${note.utcDateModified}${addContentAccessQuery(note, true)}">
 <hr>
 <details>
    <summary>Chart source</summary>
@ -439,14 +447,14 @@ function renderMermaid(result: Result, note: SNote | BNote) {
 }
 function renderImage(result: Result, note: SNote | BNote) {
-    result.content = `<img src="api/images/${note.noteId}/${note.encodedTitle}?${note.utcDateModified}">`;
+    result.content = `<img src="api/images/${note.noteId}/${note.encodedTitle}?${note.utcDateModified}${addContentAccessQuery(note, true)}">`;
 }
 function renderFile(note: SNote | BNote, result: Result) {
    if (note.mime === "application/pdf") {
-        result.content = `<iframe class="pdf-view" src="api/notes/${note.noteId}/view"></iframe>`;
+        result.content = `<iframe class="pdf-view" src="api/notes/${note.noteId}/view${addContentAccessQuery(note)}"></iframe>`;
    } else {
-        result.content = `<button type="button" onclick="location.href='api/notes/${note.noteId}/download'">Download file</button>`;
+        result.content = `<button type="button" onclick="location.href='api/notes/${note.noteId}/download${addContentAccessQuery(note)}'">Download file</button>`;
    }
 }
--- a/apps/server/src/share/routes.ts
+++ b/apps/server/src/share/routes.ts
@ -60,6 +60,20 @@ function checkNoteAccess(noteId: string, req: Request, res: Response) {
    const header = req.header("Authorization");
    if (!header?.startsWith("Basic ")) {
        if (req.path.startsWith("/share/api") && note.contentAccessor) {
            let contentAccessToken = "" 
            if (note.contentAccessor.type === "cookie") contentAccessToken += req.cookies["trilium.cat"] || ""
            else if (note.contentAccessor.type === "query") contentAccessToken += req.query['cat'] || ""
            if (contentAccessToken){
                if (note.contentAccessor.isTokenValid(contentAccessToken)){
                    return note
                }
                res.status(401).send("Access is expired. Return back and update the page.");
                return false;
            }
        }
        return false;
    }
@ -124,9 +138,14 @@ function register(router: Router) {
            return;
        }
        if (note.isLabelTruthy("shareExclude")) {
            res.status(404);
            render404(res);
            return;
        }
        if (!checkNoteAccess(note.noteId, req, res)) {
            requestCredentials(res);
            return;
        }
@ -138,6 +157,10 @@ function register(router: Router) {
            return;
        }
        if (note.contentAccessor && note.contentAccessor.type === "cookie") {
            res.cookie('trilium.cat', note.contentAccessor.getToken(), { maxAge: note.contentAccessor.getTokenExpiration() * 1000, httpOnly: true })
        }
        res.send(renderNoteContent(note));
    }
@ -163,6 +186,9 @@ function register(router: Router) {
        const { shareId } = req.params;
        const note = shaca.aliasToNote[shareId] || shaca.notes[shareId];
        if (note){
            note.initContentAccessor()
        }
        renderNote(note, req, res);
    });
--- a/apps/server/src/share/shaca/entities/content_accessor.ts
+++ b/apps/server/src/share/shaca/entities/content_accessor.ts
@ -0,0 +1,81 @@
 import crypto from "crypto";
 import SNote from "./snote";
 import utils from "../../../services/utils";
 const DefaultAccessTimeoutSec = 10 * 60; // 10 minutes
 export class ContentAccessor {
    note: SNote;
    token: string;
    timestamp: number;
    type: string;
    timeout: number;
    key: Buffer;
    constructor(note: SNote) {
        this.note = note;
        this.key = crypto.randomBytes(32);
        this.token = "";
        this.timestamp = 0;
        this.timeout = Number(this.note.getAttributeValue("label", "shareAccessTokenTimeout") || DefaultAccessTimeoutSec)
        switch (this.note.getAttributeValue("label", "shareContentAccess")) {
            case "basic": this.type = "basic"; break
            case "query": this.type = "query"; break
            default: this.type = "cookie"; break
        };
    }
    __encrypt(text: string) {
        const iv = crypto.randomBytes(16); 
        const cipher = crypto.createCipheriv('aes-256-cbc', this.key, iv);
        let encrypted = cipher.update(text, 'utf8', 'hex');
        encrypted += cipher.final('hex');
        return iv.toString('hex') + encrypted; 
    }
    __decrypt(encryptedText: string) {
        try {
            const iv = Buffer.from(encryptedText.slice(0, 32), 'hex');
            const decipher = crypto.createDecipheriv('aes-256-cbc', this.key, iv);
            let decrypted = decipher.update(encryptedText.slice(32), 'hex', 'utf8');
            decrypted += decipher.final('utf8');
            return decrypted;
        } catch {
            return ""
        }
    }
    __compare(originalText: string, encryptedText: string) {
        return originalText === this.__decrypt(encryptedText)
    }
    update() {
        if (new Date().getTime() < this.timestamp + this.getTimeout() * 1000) return
        this.token = utils.randomString(36);
        this.key = crypto.randomBytes(32);
        this.timestamp = new Date().getTime();
    }
    isTokenValid(encToken: string) {
        return this.__compare(this.token, encToken) && new Date().getTime() < this.timestamp + this.getTimeout() * 1000;
    }
    getToken() {
        return this.__encrypt(this.token);
    }
    getTokenExpiration() {
        return (this.timestamp + (this.timeout * 1000) - new Date().getTime()) /1000;
    }
    getTimeout() {
        return this.timeout;
    }
    getContentAccessType() {
       return this.type;
    }
 }
--- a/apps/server/src/share/shaca/entities/snote.ts
+++ b/apps/server/src/share/shaca/entities/snote.ts
@ -10,6 +10,7 @@ import type SAttribute from "./sattribute.js";
 import type SBranch from "./sbranch.js";
 import type { SNoteRow } from "./rows.js";
 import { NOTE_TYPE_ICONS } from "../../../becca/entities/bnote.js";
 import { ContentAccessor } from "./content_accessor.js";
 const LABEL = "label";
 const RELATION = "relation";
@ -33,6 +34,7 @@ class SNote extends AbstractShacaEntity {
    private __inheritableAttributeCache: SAttribute[] | null;
    targetRelations: SAttribute[];
    attachments: SAttachment[];
    contentAccessor: ContentAccessor | undefined;
    constructor([noteId, title, type, mime, blobId, utcDateModified, isProtected]: SNoteRow) {
        super();
@ -59,6 +61,15 @@ class SNote extends AbstractShacaEntity {
        this.shaca.notes[this.noteId] = this;
    }
    initContentAccessor(){
        if (!this.contentAccessor && this.getCredentials().length > 0) {
            this.contentAccessor = new ContentAccessor(this);
        }
        if (this.contentAccessor) {
            this.contentAccessor.update()
        }
    }
    getParentBranches() {
        return this.parentBranches;
    }
@ -72,7 +83,7 @@ class SNote extends AbstractShacaEntity {
    }
    getVisibleChildBranches() {
-        return this.getChildBranches().filter((branch) => !branch.isHidden && !branch.getNote().isLabelTruthy("shareHiddenFromTree"));
+        return this.getChildBranches().filter((branch) => !branch.isHidden && !branch.getNote().isLabelTruthy("shareHiddenFromTree") && !branch.getNote().isLabelTruthy("shareExclude"));
    }
    getParentNotes() {
@ -80,7 +91,7 @@ class SNote extends AbstractShacaEntity {
    }
    getChildNotes() {
-        return this.children;
+        return this.children.filter((note) => !note.isLabelTruthy("shareExclude"));
    }
    getVisibleChildNotes() {
--- a/Usage/Sharing.md
+++ b/Usage/Sharing.md
@ -131,7 +131,7 @@ To do so, create a shared text note and apply the `shareIndex` label. When viewe
 ## Attribute reference
-<table class="ck-table-resized"><colgroup><col style="width:18.38%;"><col style="width:81.62%;"></colgroup><thead><tr><th>Attribute</th><th>Description</th></tr></thead><tbody><tr><td><code>#shareHiddenFromTree</code></td><td>this note is hidden from left navigation tree, but still accessible with its URL</td></tr><tr><td><code>#shareExternalLink</code></td><td>note will act as a link to an external website in the share tree</td></tr><tr><td><code>#shareAlias</code></td><td>define an alias using which the note will be available under <code>https://your_trilium_host/share/[your_alias]</code></td></tr><tr><td><code>#shareOmitDefaultCss</code></td><td>default share page CSS will be omitted. Use when you make extensive styling changes.</td></tr><tr><td><code>#shareRoot</code></td><td>marks note which is served on /share root.</td></tr><tr><td><code>#shareDescription</code></td><td>define text to be added to the HTML meta tag for description</td></tr><tr><td><code>#shareRaw</code></td><td>Note will be served in its raw format, without HTML wrapper. See also&nbsp;<a class="reference-link" href="Sharing/Serving%20directly%20the%20content%20o.md">Serving directly the content of a note</a>&nbsp;for an alternative method without setting an attribute.</td></tr><tr><td><code>#shareDisallowRobotIndexing</code></td><td><p>Indicates to web crawlers that the page should not be indexed of this note by:</p><ul><li data-list-item-id="e6baa9f60bf59d085fd31aa2cce07a0e7">Setting the <code>X-Robots-Tag: noindex</code> HTTP header.</li><li data-list-item-id="ec0d067db136ef9794e4f1033405880b7">Setting the <code>noindex, follow</code> meta tag.</li></ul></td></tr><tr><td><code>#shareCredentials</code></td><td>require credentials to access this shared note. Value is expected to be in format <code>username:password</code>. Don't forget to make this inheritable to apply to child-notes/images.</td></tr><tr><td><code>#shareIndex</code></td><td>Note with this label will list all roots of shared notes.</td></tr><tr><td><code>#shareHtmlLocation</code></td><td>defines where custom HTML injected via <code>~shareHtml</code> relation should be placed. Applied to the HTML snippet note itself. Format: <code>location:position</code> where location is <code>head</code>, <code>body</code>, or <code>content</code> and position is <code>start</code> or <code>end</code>. Defaults to <code>content:end</code>.</td></tr></tbody></table>
+<table class="ck-table-resized"><colgroup><col style="width:18.38%;"><col style="width:81.62%;"></colgroup><thead><tr><th>Attribute</th><th>Description</th></tr></thead><tbody><tr><td><code>#shareHiddenFromTree</code></td><td>this note is hidden from left navigation tree, but still accessible with its URL</td></tr><tr><td><code>#shareTemplateNoPrevNext</code></td><td>hide bottom page navigation prev and next page.</td></tr><tr><td><code>#shareTemplateNoLeftPanel</code></td><td>hide left panel fully.</td></tr><tr><td><code>#shareExclude</code></td><td>this note will be excluded from share, not accessible via direct URL (implemented to hide scripts from share)</td></tr><tr><td><code>#shareContentAccess</code></td><td>method for attachments authorization in case when note protected with login and password (#shareCredentials). Could be cookie (the cookie will be provided when page loads) / query (every url will be updated with token) / basic (only basic header authorization)). By default for browser used cookie.</td></tr><tr><td><code>#shareAccessTokenTimeout</code></td><td>token expiration timeout in seconds, by default 10 minutes. While token not expired user could download attachment, after that he will get message `Access is expired. Return back and update the page.`</td></tr><tr><td><code>#shareExternalLink</code></td><td>note will act as a link to an external website in the share tree</td></tr><tr><td><code>#shareAlias</code></td><td>define an alias using which the note will be available under <code>https://your_trilium_host/share/[your_alias]</code></td></tr><tr><td><code>#shareOmitDefaultCss</code></td><td>default share page CSS will be omitted. Use when you make extensive styling changes.</td></tr><tr><td><code>#shareRoot</code></td><td>marks note which is served on /share root.</td></tr><tr><td><code>#shareDescription</code></td><td>define text to be added to the HTML meta tag for description</td></tr><tr><td><code>#shareRaw</code></td><td>Note will be served in its raw format, without HTML wrapper. See also&nbsp;<a class="reference-link" href="Sharing/Serving%20directly%20the%20content%20o.md">Serving directly the content of a note</a>&nbsp;for an alternative method without setting an attribute.</td></tr><tr><td><code>#shareDisallowRobotIndexing</code></td><td><p>Indicates to web crawlers that the page should not be indexed of this note by:</p><ul><li data-list-item-id="e6baa9f60bf59d085fd31aa2cce07a0e7">Setting the <code>X-Robots-Tag: noindex</code> HTTP header.</li><li data-list-item-id="ec0d067db136ef9794e4f1033405880b7">Setting the <code>noindex, follow</code> meta tag.</li></ul></td></tr><tr><td><code>#shareCredentials</code></td><td>require credentials to access this shared note. Value is expected to be in format <code>username:password</code>. Don't forget to make this inheritable to apply to child-notes/images.</td></tr><tr><td><code>#shareIndex</code></td><td>Note with this label will list all roots of shared notes.</td></tr><tr><td><code>#shareHtmlLocation</code></td><td>defines where custom HTML injected via <code>~shareHtml</code> relation should be placed. Applied to the HTML snippet note itself. Format: <code>location:position</code> where location is <code>head</code>, <code>body</code>, or <code>content</code> and position is <code>start</code> or <code>end</code>. Defaults to <code>content:end</code>.</td></tr></tbody></table>
 ### Customizing logo
--- a/packages/share-theme/src/templates/page.ejs
+++ b/packages/share-theme/src/templates/page.ejs
@ -50,7 +50,7 @@
        let openGraphImage = subRoot.note.getLabelValue("shareOpenGraphImage");
        // Relation takes priority and requires some altering
        if (subRoot.note.hasRelation("shareOpenGraphImage")) {
-            openGraphImage = `api/images/${subRoot.note.getRelation("shareOpenGraphImage").value}/image.png`;
+            openGraphImage = `api/images/${subRoot.note.getRelation("shareOpenGraphImage").value}/image.png${addContentAccessQuery()}`;
        }
    %>
    <title><%= pageTitle %></title>
@ -109,40 +109,43 @@ content = content.replaceAll(headingRe, (...match) => {
    <button aria-label="Show Mobile Menu" id="show-menu-button"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="currentColor"><path d="M4 6h16v2H4zm0 5h16v2H4zm0 5h16v2H4z"></path></svg></button>
 </div>
 <div id="split-pane">
-    <div id="left-pane">
+    <% if (!note.isLabelTruthy("shareTemplateNoLeftPanel")) { %>
-        <div id="navigation">
+        <div id="left-pane">
-            <div id="site-header">
+            <div id="navigation">
-                <a href="<%= shareRootLink %>">
+                <div id="site-header">
-                    <img src="<%= logoUrl %>" width="<%= logoWidth %>" height="<%= logoHeight %>" alt="Logo" />
+                    <a href="<%= shareRootLink %>">
-                    <%= subRoot.note.title %>
+                        <img src="<%= logoUrl %>" width="<%= logoWidth %>" height="<%= logoHeight %>" alt="Logo" />
-                </a>
+                        <%= subRoot.note.title %>
-                <div class="theme-selection">
+                    </a>
-                    <span id="sitetheme"><%= t("share_theme.site-theme") %></span>
+                    <div class="theme-selection">
-                    <label class="switch">
+                        <span id="sitetheme"><%= t("share_theme.site-theme") %></span>
-                      <input type="checkbox" aria-labelledby="sitetheme">
+                        <label class="switch">
-                      <span class="slider"></span>
+                        <input type="checkbox" aria-labelledby="sitetheme">
-                      <svg class="dark-icon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="currentColor"><path d="M20.742 13.045a8.088 8.088 0 0 1-2.077.271c-2.135 0-4.14-.83-5.646-2.336a8.025 8.025 0 0 1-2.064-7.723A1 1 0 0 0 9.73 2.034a10.014 10.014 0 0 0-4.489 2.582c-3.898 3.898-3.898 10.243 0 14.143a9.937 9.937 0 0 0 7.072 2.93 9.93 9.93 0 0 0 7.07-2.929 10.007 10.007 0 0 0 2.583-4.491 1.001 1.001 0 0 0-1.224-1.224zm-2.772 4.301a7.947 7.947 0 0 1-5.656 2.343 7.953 7.953 0 0 1-5.658-2.344c-3.118-3.119-3.118-8.195 0-11.314a7.923 7.923 0 0 1 2.06-1.483 10.027 10.027 0 0 0 2.89 7.848 9.972 9.972 0 0 0 7.848 2.891 8.036 8.036 0 0 1-1.484 2.059z"></path></svg>
+                        <span class="slider"></span>
-                      <svg class="light-icon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="currentColor"><path d="M6.993 12c0 2.761 2.246 5.007 5.007 5.007s5.007-2.246 5.007-5.007S14.761 6.993 12 6.993 6.993 9.239 6.993 12zM12 8.993c1.658 0 3.007 1.349 3.007 3.007S13.658 15.007 12 15.007 8.993 13.658 8.993 12 10.342 8.993 12 8.993zM10.998 19h2v3h-2zm0-17h2v3h-2zm-9 9h3v2h-3zm17 0h3v2h-3zM4.219 18.363l2.12-2.122 1.415 1.414-2.12 2.122zM16.24 6.344l2.122-2.122 1.414 1.414-2.122 2.122zM6.342 7.759 4.22 5.637l1.415-1.414 2.12 2.122zm13.434 10.605-1.414 1.414-2.122-2.122 1.414-1.414z"></path></svg>
+                        <svg class="dark-icon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="currentColor"><path d="M20.742 13.045a8.088 8.088 0 0 1-2.077.271c-2.135 0-4.14-.83-5.646-2.336a8.025 8.025 0 0 1-2.064-7.723A1 1 0 0 0 9.73 2.034a10.014 10.014 0 0 0-4.489 2.582c-3.898 3.898-3.898 10.243 0 14.143a9.937 9.937 0 0 0 7.072 2.93 9.93 9.93 0 0 0 7.07-2.929 10.007 10.007 0 0 0 2.583-4.491 1.001 1.001 0 0 0-1.224-1.224zm-2.772 4.301a7.947 7.947 0 0 1-5.656 2.343 7.953 7.953 0 0 1-5.658-2.344c-3.118-3.119-3.118-8.195 0-11.314a7.923 7.923 0 0 1 2.06-1.483 10.027 10.027 0 0 0 2.89 7.848 9.972 9.972 0 0 0 7.848 2.891 8.036 8.036 0 0 1-1.484 2.059z"></path></svg>
-                    </label>
+                        <svg class="light-icon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="currentColor"><path d="M6.993 12c0 2.761 2.246 5.007 5.007 5.007s5.007-2.246 5.007-5.007S14.761 6.993 12 6.993 6.993 9.239 6.993 12zM12 8.993c1.658 0 3.007 1.349 3.007 3.007S13.658 15.007 12 15.007 8.993 13.658 8.993 12 10.342 8.993 12 8.993zM10.998 19h2v3h-2zm0-17h2v3h-2zm-9 9h3v2h-3zm17 0h3v2h-3zM4.219 18.363l2.12-2.122 1.415 1.414-2.12 2.122zM16.24 6.344l2.122-2.122 1.414 1.414-2.122 2.122zM6.342 7.759 4.22 5.637l1.415-1.414 2.12 2.122zm13.434 10.605-1.414 1.414-2.122-2.122 1.414-1.414z"></path></svg>
-                    <script>
+                        </label>
-                        const el = document.querySelector(".theme-selection input");
+                        <script>
-                        el.checked = (glob.theme === "dark");
+                            const el = document.querySelector(".theme-selection input");
-                    </script>
+                            el.checked = (glob.theme === "dark");
-                </div>
+                        </script>
                <% if (hasTree) { %>
                    <div class="search-item">
                        <svg class="search-icon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="currentColor"><path d="M10 18a7.952 7.952 0 0 0 4.897-1.688l4.396 4.396 1.414-1.414-4.396-4.396A7.952 7.952 0 0 0 18 10c0-4.411-3.589-8-8-8s-8 3.589-8 8 3.589 8 8 8zm0-14c3.309 0 6 2.691 6 6s-2.691 6-6 6-6-2.691-6-6 2.691-6 6-6z"></path></svg>
                        <input type="text" class="search-input" placeholder="<%= t("share_theme.search_placeholder") %>">
                    </div>
-                <% } %>
+                    <% if (hasTree) { %>
                        <div class="search-item">
                            <svg class="search-icon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="currentColor"><path d="M10 18a7.952 7.952 0 0 0 4.897-1.688l4.396 4.396 1.414-1.414-4.396-4.396A7.952 7.952 0 0 0 18 10c0-4.411-3.589-8-8-8s-8 3.589-8 8 3.589 8 8 8zm0-14c3.309 0 6 2.691 6 6s-2.691 6-6 6-6-2.691-6-6 2.691-6 6-6z"></path></svg>
                            <input type="text" class="search-input" placeholder="<%= t("share_theme.search_placeholder") %>">
                        </div>
                    <% } %>
                </div>
            <% if (hasTree) { %>
                <nav id="menu">
                    <%- include("tree_item", {note: subRoot.note, activeNote: note, subRoot: subRoot, ancestors}) %>
                </nav>
            <% } %>   
            </div>
        <% if (hasTree) { %>
            <nav id="menu">
                <%- include("tree_item", {note: subRoot.note, activeNote: note, subRoot: subRoot, ancestors}) %>
            </nav>
        <% } %>   
        </div>
-    </div>
+    <% } %>
    <div id="right-pane">
        <div id="main">
            <div id="content" class="type-<%= note.type %><% if (note.type === "text") { %> ck-content<% } %><% if (isEmpty) { %> no-content<% } %>">
@ -152,7 +155,9 @@ content = content.replaceAll(headingRe, (...match) => {
                    <p>This note has no content.</p>
                <% } else { %>
                    <%
-                    content = content.replace(/<img /g, `<img alt="${t("share_theme.image_alt")}" loading="lazy" `);
+                    content = content
                        .replace(/<img /g, `<img alt="${t("share_theme.image_alt")}" loading="lazy" `)
                        .replace(/src="(api\/[^"]+)"/g, (m, url) => `src="${url}${addContentAccessQuery(url.includes('?'))}"`);
                    %>
                    <%- content %>
                <% } %>
@ -189,7 +194,7 @@ content = content.replaceAll(headingRe, (...match) => {
                    </div>
                <% } %>
-                <% if (hasTree) { %>
+                <% if (hasTree && !note.isLabelTruthy("shareTemplateNoPrevNext")) { %>
                    <%- include("prev_next", { note: note, subRoot: subRoot }) %>
                <% } %>
            </footer>