From e5f704cf3b073aab327c1b05162fab933efdf1ea Mon Sep 17 00:00:00 2001
From: Daniel Dietzler <36593685+danieldietzler@users.noreply.github.com>
Date: Tue, 3 Oct 2023 18:36:51 +0200
Subject: [PATCH] fix asset upload permissions for shared links (#4325)

---
 server/src/domain/access/access.core.ts         | 11 +++++++----
 server/src/immich/api-v1/asset/asset.service.ts |  4 ++--
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/server/src/domain/access/access.core.ts b/server/src/domain/access/access.core.ts
index 0922abbae2..39e190670e 100644
--- a/server/src/domain/access/access.core.ts
+++ b/server/src/domain/access/access.core.ts
@@ -10,6 +10,7 @@ export enum Permission {
   ASSET_SHARE = 'asset.share',
   ASSET_VIEW = 'asset.view',
   ASSET_DOWNLOAD = 'asset.download',
+  ASSET_UPLOAD = 'asset.upload',
 
   // ALBUM_CREATE = 'album.create',
   ALBUM_READ = 'album.read',
@@ -26,7 +27,6 @@ export enum Permission {
 
   LIBRARY_CREATE = 'library.create',
   LIBRARY_READ = 'library.read',
-  LIBRARY_WRITE = 'library.write',
   LIBRARY_UPDATE = 'library.update',
   LIBRARY_DELETE = 'library.delete',
   LIBRARY_DOWNLOAD = 'library.download',
@@ -96,6 +96,9 @@ export class AccessCore {
       case Permission.ASSET_DOWNLOAD:
         return !!authUser.isAllowDownload && (await this.repository.asset.hasSharedLinkAccess(sharedLinkId, id));
 
+      case Permission.ASSET_UPLOAD:
+        return authUser.isAllowUpload;
+
       case Permission.ASSET_SHARE:
         // TODO: fix this to not use authUser.id for shared link access control
         return this.repository.asset.hasOwnerAccess(authUser.id, id);
@@ -166,6 +169,9 @@ export class AccessCore {
           (await this.repository.album.hasSharedAlbumAccess(authUser.id, id))
         );
 
+      case Permission.ASSET_UPLOAD:
+        return this.repository.library.hasOwnerAccess(authUser.id, id);
+
       case Permission.ALBUM_REMOVE_ASSET:
         return this.repository.album.hasOwnerAccess(authUser.id, id);
 
@@ -184,9 +190,6 @@ export class AccessCore {
           (await this.repository.library.hasPartnerAccess(authUser.id, id))
         );
 
-      case Permission.LIBRARY_WRITE:
-        return this.repository.library.hasOwnerAccess(authUser.id, id);
-
       case Permission.LIBRARY_UPDATE:
         return this.repository.library.hasOwnerAccess(authUser.id, id);
 
diff --git a/server/src/immich/api-v1/asset/asset.service.ts b/server/src/immich/api-v1/asset/asset.service.ts
index 30aeec55cb..5a32229dd0 100644
--- a/server/src/immich/api-v1/asset/asset.service.ts
+++ b/server/src/immich/api-v1/asset/asset.service.ts
@@ -91,7 +91,7 @@ export class AssetService {
 
     try {
       const libraryId = await this.getLibraryId(authUser, dto.libraryId);
-      await this.access.requirePermission(authUser, Permission.LIBRARY_WRITE, libraryId);
+      await this.access.requirePermission(authUser, Permission.ASSET_UPLOAD, libraryId);
       if (livePhotoFile) {
         const livePhotoDto = { ...dto, assetType: AssetType.VIDEO, isVisible: false, libraryId };
         livePhotoAsset = await this.assetCore.create(authUser, livePhotoDto, livePhotoFile);
@@ -163,7 +163,7 @@ export class AssetService {
 
     try {
       const libraryId = await this.getLibraryId(authUser, dto.libraryId);
-      await this.access.requirePermission(authUser, Permission.LIBRARY_WRITE, libraryId);
+      await this.access.requirePermission(authUser, Permission.ASSET_UPLOAD, libraryId);
       const asset = await this.assetCore.create(authUser, { ...dto, libraryId }, assetFile, undefined, dto.sidecarPath);
       return { id: asset.id, duplicate: false };
     } catch (error: QueryFailedError | Error | any) {