c-l/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2024-12-29 15:11:58 +00:00
Code Releases Activity

fix(server): timeline bucket access for shared links (#4404)

Browse source
This commit is contained in:
Jason Rasmussen 2023-10-09 11:57:36 -04:00 committed by GitHub
parent 2ea080cacd
commit ebb50476ac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
server/src/domain/asset/asset.service.ts
View file

@ -177,13 +177,15 @@ export class AssetService {
private async timeBucketChecks(authUser: AuthUserDto, dto: TimeBucketDto) {
if (dto.albumId) {
await this.access.requirePermission(authUser, Permission.ALBUM_READ, [dto.albumId]);
} else if (dto.userId) {
} else {
dto.userId = dto.userId || authUser.id;
}
if (dto.userId) {
await this.access.requirePermission(authUser, Permission.TIMELINE_READ, [dto.userId]);
if (dto.isArchived !== false) {
await this.access.requirePermission(authUser, Permission.ARCHIVE_READ, [dto.userId]);
}
await this.access.requirePermission(authUser, Permission.TIMELINE_READ, [dto.userId]);
} else {
dto.userId = authUser.id;
}
}

18
server/test/e2e/asset.e2e-spec.ts
View file

@ -4,10 +4,11 @@ import {
IPersonRepository,
LibraryResponseDto,
LoginResponseDto,
SharedLinkResponseDto,
TimeBucketSize,
} from '@app/domain';
import { AssetController } from '@app/immich';
import { AssetEntity, AssetType } from '@app/infra/entities';
import { AssetEntity, AssetType, SharedLinkType } from '@app/infra/entities';
import { INestApplication } from '@nestjs/common';
import { api } from '@test/api';
import { errorStub, uuidStub } from '@test/fixtures';
@ -76,6 +77,7 @@ describe(`${AssetController.name} (e2e)`, () => {
let server: any;
let assetRepository: IAssetRepository;
let defaultLibrary: LibraryResponseDto;
let sharedLink: SharedLinkResponseDto;
let user1: LoginResponseDto;
let user2: LoginResponseDto;
let asset1: AssetEntity;
@ -114,6 +116,11 @@ describe(`${AssetController.name} (e2e)`, () => {
createAsset(assetRepository, user1, defaultLibrary.id, new Date('1970-02-01')),
createAsset(assetRepository, user2, defaultLibrary.id, new Date('1970-01-01')),
]);
sharedLink = await api.sharedLinkApi.create(server, user1.accessToken, {
type: SharedLinkType.INDIVIDUAL,
assetIds: [asset1.id, asset2.id],
});
});
afterAll(async () => {
@ -507,6 +514,15 @@ describe(`${AssetController.name} (e2e)`, () => {
);
});
it('should not allow access for unrelated shared links', async () => {
const { status, body } = await request(server)
.get('/asset/time-buckets')
.query({ key: sharedLink.key, size: TimeBucketSize.MONTH });
expect(status).toBe(400);
expect(body).toEqual(errorStub.noPermission);
});
it('should get time buckets by day', async () => {
const { status, body } = await request(server)
.get('/asset/time-buckets')