mirror of
https://github.com/immich-app/immich.git
synced 2024-12-24 10:37:28 +02:00
fix(server): prevent leaking isFavorite and isArchived info (#7580)
* fix: prevent leaking favorites info * add e2e test * fix: e2e test * fix: isArchived * fix: keep old version
This commit is contained in:
parent
f03381a5b1
commit
ebe7a14c14
@ -41,7 +41,7 @@ describe('/album', () => {
|
||||
]);
|
||||
|
||||
[user1Asset1, user1Asset2] = await Promise.all([
|
||||
apiUtils.createAsset(user1.accessToken),
|
||||
apiUtils.createAsset(user1.accessToken, { isFavorite: true }),
|
||||
apiUtils.createAsset(user1.accessToken),
|
||||
]);
|
||||
|
||||
@ -119,6 +119,17 @@ describe('/album', () => {
|
||||
expect(body).toEqual(errorDto.badRequest(['assetId must be a UUID']));
|
||||
});
|
||||
|
||||
it("should not show other users' favorites", async () => {
|
||||
const { status, body } = await request(app)
|
||||
.get(`/album/${user1Albums[0].id}?withoutAssets=false`)
|
||||
.set('Authorization', `Bearer ${user2.accessToken}`);
|
||||
expect(status).toEqual(200);
|
||||
expect(body).toEqual({
|
||||
...user1Albums[0],
|
||||
assets: [expect.objectContaining({ isFavorite: false })],
|
||||
});
|
||||
});
|
||||
|
||||
it('should not return shared albums with a deleted owner', async () => {
|
||||
const { status, body } = await request(app)
|
||||
.get('/album?shared=true')
|
||||
|
@ -1,6 +1,7 @@
|
||||
import { AlbumEntity } from '@app/infra/entities';
|
||||
import { ApiProperty } from '@nestjs/swagger';
|
||||
import { AssetResponseDto, mapAsset } from '../asset';
|
||||
import { AuthDto } from '../auth/auth.dto';
|
||||
import { UserResponseDto, mapUser } from '../user';
|
||||
|
||||
export class AlbumResponseDto {
|
||||
@ -24,7 +25,7 @@ export class AlbumResponseDto {
|
||||
isActivityEnabled!: boolean;
|
||||
}
|
||||
|
||||
export const mapAlbum = (entity: AlbumEntity, withAssets: boolean): AlbumResponseDto => {
|
||||
export const mapAlbum = (entity: AlbumEntity, withAssets: boolean, auth?: AuthDto): AlbumResponseDto => {
|
||||
const sharedUsers: UserResponseDto[] = [];
|
||||
|
||||
if (entity.sharedUsers) {
|
||||
@ -59,7 +60,7 @@ export const mapAlbum = (entity: AlbumEntity, withAssets: boolean): AlbumRespons
|
||||
hasSharedLink,
|
||||
startDate,
|
||||
endDate,
|
||||
assets: (withAssets ? assets : []).map((asset) => mapAsset(asset)),
|
||||
assets: (withAssets ? assets : []).map((asset) => mapAsset(asset, { auth })),
|
||||
assetCount: entity.assets?.length || 0,
|
||||
isActivityEnabled: entity.isActivityEnabled,
|
||||
};
|
||||
|
@ -104,7 +104,7 @@ export class AlbumService {
|
||||
const [albumMetadataForIds] = await this.albumRepository.getMetadataForIds([album.id]);
|
||||
|
||||
return {
|
||||
...mapAlbum(album, withAssets),
|
||||
...mapAlbum(album, withAssets, auth),
|
||||
startDate: albumMetadataForIds.startDate,
|
||||
endDate: albumMetadataForIds.endDate,
|
||||
assetCount: albumMetadataForIds.assetCount,
|
||||
|
@ -180,7 +180,7 @@ export class AssetService {
|
||||
|
||||
return {
|
||||
title: `${years} year${years > 1 ? 's' : ''} since...`,
|
||||
asset: mapAsset(asset),
|
||||
asset: mapAsset(asset, { auth }),
|
||||
};
|
||||
})
|
||||
.groupBy((asset) => asset.title)
|
||||
@ -230,8 +230,8 @@ export class AssetService {
|
||||
const timeBucketOptions = await this.buildTimeBucketOptions(auth, dto);
|
||||
const assets = await this.assetRepository.getTimeBucket(dto.timeBucket, timeBucketOptions);
|
||||
return !auth.sharedLink || auth.sharedLink?.showExif
|
||||
? assets.map((asset) => mapAsset(asset, { withStack: true }))
|
||||
: assets.map((asset) => mapAsset(asset, { stripMetadata: true }));
|
||||
? assets.map((asset) => mapAsset(asset, { withStack: true, auth }))
|
||||
: assets.map((asset) => mapAsset(asset, { stripMetadata: true, auth }));
|
||||
}
|
||||
|
||||
async buildTimeBucketOptions(auth: AuthDto, dto: TimeBucketDto): Promise<TimeBucketOptions> {
|
||||
@ -261,7 +261,7 @@ export class AssetService {
|
||||
|
||||
async getRandom(auth: AuthDto, count: number): Promise<AssetResponseDto[]> {
|
||||
const assets = await this.assetRepository.getRandom(auth.user.id, count);
|
||||
return assets.map((a) => mapAsset(a));
|
||||
return assets.map((a) => mapAsset(a, { auth }));
|
||||
}
|
||||
|
||||
async getUserAssetsByDeviceId(auth: AuthDto, deviceId: string) {
|
||||
@ -292,10 +292,10 @@ export class AssetService {
|
||||
}
|
||||
|
||||
if (auth.sharedLink && !auth.sharedLink.showExif) {
|
||||
return mapAsset(asset, { stripMetadata: true, withStack: true });
|
||||
return mapAsset(asset, { stripMetadata: true, withStack: true, auth });
|
||||
}
|
||||
|
||||
const data = mapAsset(asset, { withStack: true });
|
||||
const data = mapAsset(asset, { withStack: true, auth });
|
||||
|
||||
if (auth.sharedLink) {
|
||||
delete data.owner;
|
||||
@ -315,7 +315,7 @@ export class AssetService {
|
||||
await this.updateMetadata({ id, description, dateTimeOriginal, latitude, longitude });
|
||||
|
||||
const asset = await this.assetRepository.save({ id, ...rest });
|
||||
return mapAsset(asset);
|
||||
return mapAsset(asset, { auth });
|
||||
}
|
||||
|
||||
async updateAll(auth: AuthDto, dto: AssetBulkUpdateDto): Promise<void> {
|
||||
|
@ -1,3 +1,4 @@
|
||||
import { AuthDto } from '@app/domain/auth/auth.dto';
|
||||
import { AssetEntity, AssetFaceEntity, AssetType } from '@app/infra/entities';
|
||||
import { ApiProperty } from '@nestjs/swagger';
|
||||
import { PersonWithFacesResponseDto, mapFacesWithoutPerson, mapPerson } from '../../person/person.dto';
|
||||
@ -50,6 +51,7 @@ export class AssetResponseDto extends SanitizedAssetResponseDto {
|
||||
export type AssetMapOptions = {
|
||||
stripMetadata?: boolean;
|
||||
withStack?: boolean;
|
||||
auth?: AuthDto;
|
||||
};
|
||||
|
||||
const peopleWithFaces = (faces: AssetFaceEntity[]): PersonWithFacesResponseDto[] => {
|
||||
@ -103,8 +105,8 @@ export function mapAsset(entity: AssetEntity, options: AssetMapOptions = {}): As
|
||||
fileModifiedAt: entity.fileModifiedAt,
|
||||
localDateTime: entity.localDateTime,
|
||||
updatedAt: entity.updatedAt,
|
||||
isFavorite: entity.isFavorite,
|
||||
isArchived: entity.isArchived,
|
||||
isFavorite: options.auth?.user.id === entity.ownerId ? entity.isFavorite : false,
|
||||
isArchived: options.auth?.user.id === entity.ownerId ? entity.isArchived : false,
|
||||
isTrashed: !!entity.deletedAt,
|
||||
duration: entity.duration ?? '0:00:00.00000',
|
||||
exifInfo: entity.exifInfo ? mapExif(entity.exifInfo) : undefined,
|
||||
@ -117,7 +119,7 @@ export function mapAsset(entity: AssetEntity, options: AssetMapOptions = {}): As
|
||||
stack: withStack
|
||||
? entity.stack?.assets
|
||||
.filter((a) => a.id !== entity.stack?.primaryAssetId)
|
||||
.map((a) => mapAsset(a, { stripMetadata }))
|
||||
.map((a) => mapAsset(a, { stripMetadata, auth: options.auth }))
|
||||
: undefined,
|
||||
stackCount: entity.stack?.assets?.length ?? null,
|
||||
isExternal: entity.isExternal,
|
||||
|
Loading…
Reference in New Issue
Block a user