mirror of
https://github.com/immich-app/immich.git
synced 2024-12-25 10:43:13 +02:00
fix(server): timeline bucket access for shared links (#4404)
This commit is contained in:
parent
2ea080cacd
commit
ebb50476ac
@ -177,13 +177,15 @@ export class AssetService {
|
||||
private async timeBucketChecks(authUser: AuthUserDto, dto: TimeBucketDto) {
|
||||
if (dto.albumId) {
|
||||
await this.access.requirePermission(authUser, Permission.ALBUM_READ, [dto.albumId]);
|
||||
} else if (dto.userId) {
|
||||
} else {
|
||||
dto.userId = dto.userId || authUser.id;
|
||||
}
|
||||
|
||||
if (dto.userId) {
|
||||
await this.access.requirePermission(authUser, Permission.TIMELINE_READ, [dto.userId]);
|
||||
if (dto.isArchived !== false) {
|
||||
await this.access.requirePermission(authUser, Permission.ARCHIVE_READ, [dto.userId]);
|
||||
}
|
||||
await this.access.requirePermission(authUser, Permission.TIMELINE_READ, [dto.userId]);
|
||||
} else {
|
||||
dto.userId = authUser.id;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -4,10 +4,11 @@ import {
|
||||
IPersonRepository,
|
||||
LibraryResponseDto,
|
||||
LoginResponseDto,
|
||||
SharedLinkResponseDto,
|
||||
TimeBucketSize,
|
||||
} from '@app/domain';
|
||||
import { AssetController } from '@app/immich';
|
||||
import { AssetEntity, AssetType } from '@app/infra/entities';
|
||||
import { AssetEntity, AssetType, SharedLinkType } from '@app/infra/entities';
|
||||
import { INestApplication } from '@nestjs/common';
|
||||
import { api } from '@test/api';
|
||||
import { errorStub, uuidStub } from '@test/fixtures';
|
||||
@ -76,6 +77,7 @@ describe(`${AssetController.name} (e2e)`, () => {
|
||||
let server: any;
|
||||
let assetRepository: IAssetRepository;
|
||||
let defaultLibrary: LibraryResponseDto;
|
||||
let sharedLink: SharedLinkResponseDto;
|
||||
let user1: LoginResponseDto;
|
||||
let user2: LoginResponseDto;
|
||||
let asset1: AssetEntity;
|
||||
@ -114,6 +116,11 @@ describe(`${AssetController.name} (e2e)`, () => {
|
||||
createAsset(assetRepository, user1, defaultLibrary.id, new Date('1970-02-01')),
|
||||
createAsset(assetRepository, user2, defaultLibrary.id, new Date('1970-01-01')),
|
||||
]);
|
||||
|
||||
sharedLink = await api.sharedLinkApi.create(server, user1.accessToken, {
|
||||
type: SharedLinkType.INDIVIDUAL,
|
||||
assetIds: [asset1.id, asset2.id],
|
||||
});
|
||||
});
|
||||
|
||||
afterAll(async () => {
|
||||
@ -507,6 +514,15 @@ describe(`${AssetController.name} (e2e)`, () => {
|
||||
);
|
||||
});
|
||||
|
||||
it('should not allow access for unrelated shared links', async () => {
|
||||
const { status, body } = await request(server)
|
||||
.get('/asset/time-buckets')
|
||||
.query({ key: sharedLink.key, size: TimeBucketSize.MONTH });
|
||||
|
||||
expect(status).toBe(400);
|
||||
expect(body).toEqual(errorStub.noPermission);
|
||||
});
|
||||
|
||||
it('should get time buckets by day', async () => {
|
||||
const { status, body } = await request(server)
|
||||
.get('/asset/time-buckets')
|
||||
|
Loading…
Reference in New Issue
Block a user