mirror of
https://github.com/immich-app/immich.git
synced 2024-12-29 15:11:58 +00:00
fix(server): avoid leaking people data on shared links (#6779)
* fix: avoid leaking people data on shared links * test: add e2e test
This commit is contained in:
parent
e90d3a169c
commit
1bfef200a5
2 changed files with 42 additions and 1 deletions
|
@ -559,6 +559,47 @@ describe(`${AssetController.name} (e2e)`, () => {
|
|||
expect(status).toBe(200);
|
||||
expect(body).toMatchObject({ id: asset1.id });
|
||||
});
|
||||
|
||||
it('should not send people data for shared links for un-authenticated users', async () => {
|
||||
const personRepository = app.get<IPersonRepository>(IPersonRepository);
|
||||
const person = await personRepository.create({ ownerId: asset1.ownerId, name: 'Test Person' });
|
||||
|
||||
await personRepository.createFaces([
|
||||
{
|
||||
assetId: asset1.id,
|
||||
personId: person.id,
|
||||
embedding: Array.from({ length: 512 }, Math.random),
|
||||
},
|
||||
]);
|
||||
|
||||
const { status, body } = await request(server)
|
||||
.put(`/asset/${asset1.id}`)
|
||||
.set('Authorization', `Bearer ${user1.accessToken}`)
|
||||
.send({ isFavorite: true });
|
||||
expect(status).toEqual(200);
|
||||
expect(body).toMatchObject({
|
||||
id: asset1.id,
|
||||
isFavorite: true,
|
||||
people: [
|
||||
{
|
||||
birthDate: null,
|
||||
id: expect.any(String),
|
||||
isHidden: false,
|
||||
name: 'Test Person',
|
||||
thumbnailPath: '',
|
||||
},
|
||||
],
|
||||
});
|
||||
|
||||
const sharedLink = await api.sharedLinkApi.create(server, user1.accessToken, {
|
||||
type: SharedLinkType.INDIVIDUAL,
|
||||
assetIds: [asset1.id],
|
||||
});
|
||||
|
||||
const data = await request(server).get(`/asset/assetById/${asset1.id}?key=${sharedLink.key}`);
|
||||
expect(data.status).toBe(200);
|
||||
expect(data.body).toMatchObject({ people: [] });
|
||||
});
|
||||
});
|
||||
|
||||
describe('GET /asset/:id', () => {
|
||||
|
|
|
@ -321,7 +321,7 @@ export class AssetService {
|
|||
delete data.owner;
|
||||
}
|
||||
|
||||
if (data.ownerId !== auth.user.id) {
|
||||
if (data.ownerId !== auth.user.id || auth.sharedLink) {
|
||||
data.people = [];
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue