mirror of
https://github.com/immich-app/immich.git
synced 2024-12-29 07:01:59 +00:00
fix(server): do not allow merging a person into themselves (#10776)
This commit is contained in:
parent
aa29f5d69c
commit
6a11464d60
2 changed files with 21 additions and 0 deletions
|
@ -230,4 +230,21 @@ describe('/people', () => {
|
|||
expect(body).toMatchObject({ birthDate: null });
|
||||
});
|
||||
});
|
||||
|
||||
describe('POST /people/:id/merge', () => {
|
||||
it('should require authentication', async () => {
|
||||
const { status, body } = await request(app).post(`/people/${uuidDto.notFound}/merge`);
|
||||
expect(status).toBe(401);
|
||||
expect(body).toEqual(errorDto.unauthorized);
|
||||
});
|
||||
|
||||
it('should not supporting merging a person into themselves', async () => {
|
||||
const { status, body } = await request(app)
|
||||
.post(`/people/${visiblePerson.id}/merge`)
|
||||
.set('Authorization', `Bearer ${admin.accessToken}`)
|
||||
.send({ ids: [visiblePerson.id] });
|
||||
expect(status).toBe(400);
|
||||
expect(body).toEqual(errorDto.badRequest('Cannot merge a person into themselves'));
|
||||
});
|
||||
});
|
||||
});
|
||||
|
|
|
@ -551,6 +551,10 @@ export class PersonService {
|
|||
|
||||
async mergePerson(auth: AuthDto, id: string, dto: MergePersonDto): Promise<BulkIdResponseDto[]> {
|
||||
const mergeIds = dto.ids;
|
||||
if (mergeIds.includes(id)) {
|
||||
throw new BadRequestException('Cannot merge a person into themselves');
|
||||
}
|
||||
|
||||
await this.access.requirePermission(auth, Permission.PERSON_WRITE, id);
|
||||
let primaryPerson = await this.findOrFail(id);
|
||||
const primaryName = primaryPerson.name || primaryPerson.id;
|
||||
|
|
Loading…
Reference in a new issue