refactor(server): shared link asset access check (#2680)

2024-12-25 10:43:13 +02:00 · 2023-06-07 00:34:42 -04:00 · 2023-06-07 00:34:42 -04:00 · 284edd97d6
commit 284edd97d6
parent d1b0b64d59
9 changed files with 39 additions and 38 deletions
--- a/server/apps/immich/src/api-v1/asset/asset.service.spec.ts
+++ b/server/apps/immich/src/api-v1/asset/asset.service.spec.ts
@ -225,7 +225,7 @@ describe('AssetService', () => {

      assetRepositoryMock.getById.mockResolvedValue(asset1);
      sharedLinkRepositoryMock.get.mockResolvedValue(null);
-      sharedLinkRepositoryMock.hasAssetAccess.mockResolvedValue(true);
+      accessMock.hasSharedLinkAssetAccess.mockResolvedValue(true);

      await expect(sut.addAssetsToSharedLink(authDto, dto)).rejects.toBeInstanceOf(BadRequestException);

@ -242,7 +242,7 @@ describe('AssetService', () => {

      assetRepositoryMock.getById.mockResolvedValue(asset1);
      sharedLinkRepositoryMock.get.mockResolvedValue(sharedLinkStub.valid);
-      sharedLinkRepositoryMock.hasAssetAccess.mockResolvedValue(true);
+      accessMock.hasSharedLinkAssetAccess.mockResolvedValue(true);
      sharedLinkRepositoryMock.update.mockResolvedValue(sharedLinkStub.valid);

      await expect(sut.addAssetsToSharedLink(authDto, dto)).resolves.toEqual(sharedLinkResponseStub.valid);
@ -260,7 +260,7 @@ describe('AssetService', () => {

      assetRepositoryMock.getById.mockResolvedValue(asset1);
      sharedLinkRepositoryMock.get.mockResolvedValue(sharedLinkStub.valid);
-      sharedLinkRepositoryMock.hasAssetAccess.mockResolvedValue(true);
+      accessMock.hasSharedLinkAssetAccess.mockResolvedValue(true);
      sharedLinkRepositoryMock.update.mockResolvedValue(sharedLinkStub.valid);

      await expect(sut.removeAssetsFromSharedLink(authDto, dto)).resolves.toEqual(sharedLinkResponseStub.valid);
--- a/server/apps/immich/src/api-v1/asset/asset.service.ts
+++ b/server/apps/immich/src/api-v1/asset/asset.service.ts
@ -564,10 +564,12 @@ export class AssetService {
  }

  private async checkAssetsAccess(authUser: AuthUserDto, assetIds: string[], mustBeOwner = false) {
+    const sharedLinkId = authUser.sharedLinkId;
+
    for (const assetId of assetIds) {
      // Step 1: Check if asset is part of a public shared
-      if (authUser.sharedLinkId) {
-        const canAccess = await this.shareCore.hasAssetAccess(authUser.sharedLinkId, assetId);
+      if (sharedLinkId) {
+        const canAccess = await this.accessRepository.hasSharedLinkAssetAccess(sharedLinkId, assetId);
        if (canAccess) {
          continue;
        }
--- a/server/libs/domain/src/access/access.repository.ts
+++ b/server/libs/domain/src/access/access.repository.ts
@ -3,4 +3,5 @@ export const IAccessRepository = 'IAccessRepository';
 export interface IAccessRepository {
  hasPartnerAccess(userId: string, partnerId: string): Promise<boolean>;
  hasPartnerAssetAccess(userId: string, assetId: string): Promise<boolean>;
+  hasSharedLinkAssetAccess(userId: string, assetId: string): Promise<boolean>;
 }
--- a/server/libs/domain/src/shared-link/shared-link.core.ts
+++ b/server/libs/domain/src/shared-link/shared-link.core.ts
@ -47,10 +47,6 @@ export class SharedLinkCore {
    return this.repository.update({ ...link, assets: newAssets });
  }

-  async hasAssetAccess(id: string, assetId: string): Promise<boolean> {
-    return this.repository.hasAssetAccess(id, assetId);
-  }
-
  checkDownloadAccess(user: AuthUserDto) {
    if (user.isPublicUser && !user.isAllowDownload) {
      throw new ForbiddenException();
--- a/server/libs/domain/src/shared-link/shared-link.repository.ts
+++ b/server/libs/domain/src/shared-link/shared-link.repository.ts
@ -9,5 +9,4 @@ export interface ISharedLinkRepository {
  create(entity: Omit<SharedLinkEntity, 'id' | 'user'>): Promise<SharedLinkEntity>;
  update(entity: Partial<SharedLinkEntity>): Promise<SharedLinkEntity>;
  remove(entity: SharedLinkEntity): Promise<void>;
-  hasAssetAccess(id: string, assetId: string): Promise<boolean>;
 }
--- a/server/libs/domain/test/access.repository.mock.ts
+++ b/server/libs/domain/test/access.repository.mock.ts
@ -4,5 +4,6 @@ export const newAccessRepositoryMock = (): jest.Mocked<IAccessRepository> => {
  return {
    hasPartnerAccess: jest.fn(),
    hasPartnerAssetAccess: jest.fn(),
+    hasSharedLinkAssetAccess: jest.fn(),
  };
 };
--- a/server/libs/domain/test/shared-link.repository.mock.ts
+++ b/server/libs/domain/test/shared-link.repository.mock.ts
@ -8,6 +8,5 @@ export const newSharedLinkRepositoryMock = (): jest.Mocked<ISharedLinkRepository
    create: jest.fn(),
    remove: jest.fn(),
    update: jest.fn(),
-    hasAssetAccess: jest.fn(),
  };
 };
--- a/server/libs/infra/src/repositories/access.repository.ts
+++ b/server/libs/infra/src/repositories/access.repository.ts
@ -1,10 +1,13 @@
 import { IAccessRepository } from '@app/domain';
 import { InjectRepository } from '@nestjs/typeorm';
 import { Repository } from 'typeorm';
-import { PartnerEntity } from '../entities';
+import { PartnerEntity, SharedLinkEntity } from '../entities';

 export class AccessRepository implements IAccessRepository {
-  constructor(@InjectRepository(PartnerEntity) private partnerRepository: Repository<PartnerEntity>) {}
+  constructor(
+    @InjectRepository(PartnerEntity) private partnerRepository: Repository<PartnerEntity>,
+    @InjectRepository(SharedLinkEntity) private sharedLinkRepository: Repository<SharedLinkEntity>,
+  ) {}

  hasPartnerAccess(userId: string, partnerId: string): Promise<boolean> {
    return this.partnerRepository.exist({
@ -35,4 +38,29 @@ export class AccessRepository implements IAccessRepository {
      },
    });
  }
+
+  async hasSharedLinkAssetAccess(sharedLinkId: string, assetId: string): Promise<boolean> {
+    return (
+      // album asset
+      (await this.sharedLinkRepository.exist({
+        where: {
+          id: sharedLinkId,
+          album: {
+            assets: {
+              id: assetId,
+            },
+          },
+        },
+      })) ||
+      // individual asset
+      (await this.sharedLinkRepository.exist({
+        where: {
+          id: sharedLinkId,
+          assets: {
+            id: assetId,
+          },
+        },
+      }))
+    );
+  }
 }
--- a/server/libs/infra/src/repositories/shared-link.repository.ts
+++ b/server/libs/infra/src/repositories/shared-link.repository.ts
@ -86,31 +86,6 @@ export class SharedLinkRepository implements ISharedLinkRepository {
    await this.repository.remove(entity);
  }

-  async hasAssetAccess(id: string, assetId: string): Promise<boolean> {
-    return (
-      // album asset
-      (await this.repository.exist({
-        where: {
-          id,
-          album: {
-            assets: {
-              id: assetId,
-            },
-          },
-        },
-      })) ||
-      // individual asset
-      (await this.repository.exist({
-        where: {
-          id,
-          assets: {
-            id: assetId,
-          },
-        },
-      }))
-    );
-  }
-
  private async save(entity: Partial<SharedLinkEntity>): Promise<SharedLinkEntity> {
    await this.repository.save(entity);
    return this.repository.findOneOrFail({ where: { id: entity.id } });