1
0
mirror of https://github.com/immich-app/immich.git synced 2024-12-25 10:43:13 +02:00

fix(server): timeline bucket access for shared links (#4404)

This commit is contained in:
Jason Rasmussen 2023-10-09 11:57:36 -04:00 committed by GitHub
parent 2ea080cacd
commit ebb50476ac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 5 deletions

View File

@ -177,13 +177,15 @@ export class AssetService {
private async timeBucketChecks(authUser: AuthUserDto, dto: TimeBucketDto) {
if (dto.albumId) {
await this.access.requirePermission(authUser, Permission.ALBUM_READ, [dto.albumId]);
} else if (dto.userId) {
} else {
dto.userId = dto.userId || authUser.id;
}
if (dto.userId) {
await this.access.requirePermission(authUser, Permission.TIMELINE_READ, [dto.userId]);
if (dto.isArchived !== false) {
await this.access.requirePermission(authUser, Permission.ARCHIVE_READ, [dto.userId]);
}
await this.access.requirePermission(authUser, Permission.TIMELINE_READ, [dto.userId]);
} else {
dto.userId = authUser.id;
}
}

View File

@ -4,10 +4,11 @@ import {
IPersonRepository,
LibraryResponseDto,
LoginResponseDto,
SharedLinkResponseDto,
TimeBucketSize,
} from '@app/domain';
import { AssetController } from '@app/immich';
import { AssetEntity, AssetType } from '@app/infra/entities';
import { AssetEntity, AssetType, SharedLinkType } from '@app/infra/entities';
import { INestApplication } from '@nestjs/common';
import { api } from '@test/api';
import { errorStub, uuidStub } from '@test/fixtures';
@ -76,6 +77,7 @@ describe(`${AssetController.name} (e2e)`, () => {
let server: any;
let assetRepository: IAssetRepository;
let defaultLibrary: LibraryResponseDto;
let sharedLink: SharedLinkResponseDto;
let user1: LoginResponseDto;
let user2: LoginResponseDto;
let asset1: AssetEntity;
@ -114,6 +116,11 @@ describe(`${AssetController.name} (e2e)`, () => {
createAsset(assetRepository, user1, defaultLibrary.id, new Date('1970-02-01')),
createAsset(assetRepository, user2, defaultLibrary.id, new Date('1970-01-01')),
]);
sharedLink = await api.sharedLinkApi.create(server, user1.accessToken, {
type: SharedLinkType.INDIVIDUAL,
assetIds: [asset1.id, asset2.id],
});
});
afterAll(async () => {
@ -507,6 +514,15 @@ describe(`${AssetController.name} (e2e)`, () => {
);
});
it('should not allow access for unrelated shared links', async () => {
const { status, body } = await request(server)
.get('/asset/time-buckets')
.query({ key: sharedLink.key, size: TimeBucketSize.MONTH });
expect(status).toBe(400);
expect(body).toEqual(errorStub.noPermission);
});
it('should get time buckets by day', async () => {
const { status, body } = await request(server)
.get('/asset/time-buckets')