c-l/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2025-01-01 08:31:59 +00:00
Code Releases Activity

fix(server): timeline bucket access for shared links (#4404)

Browse source
This commit is contained in:
Jason Rasmussen 2023-10-09 11:57:36 -04:00 committed by GitHub
parent 2ea080cacd
commit ebb50476ac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
server/src/domain/asset/asset.service.ts
View file

@ -177,13 +177,15 @@ export class AssetService {
private async timeBucketChecks(authUser: AuthUserDto, dto: TimeBucketDto) { private async timeBucketChecks(authUser: AuthUserDto, dto: TimeBucketDto) {
if (dto.albumId) { if (dto.albumId) {
await this.access.requirePermission(authUser, Permission.ALBUM_READ, [dto.albumId]); await this.access.requirePermission(authUser, Permission.ALBUM_READ, [dto.albumId]);
} else if (dto.userId) { } else {
dto.userId = dto.userId || authUser.id;
}
if (dto.userId) {
await this.access.requirePermission(authUser, Permission.TIMELINE_READ, [dto.userId]);
if (dto.isArchived !== false) { if (dto.isArchived !== false) {
await this.access.requirePermission(authUser, Permission.ARCHIVE_READ, [dto.userId]); await this.access.requirePermission(authUser, Permission.ARCHIVE_READ, [dto.userId]);
} }
await this.access.requirePermission(authUser, Permission.TIMELINE_READ, [dto.userId]);
} else {
dto.userId = authUser.id;
} }
} }

18
server/test/e2e/asset.e2e-spec.ts
View file

@ -4,10 +4,11 @@ import {
IPersonRepository, IPersonRepository,
LibraryResponseDto, LibraryResponseDto,
LoginResponseDto, LoginResponseDto,
SharedLinkResponseDto,
TimeBucketSize, TimeBucketSize,
} from '@app/domain'; } from '@app/domain';
import { AssetController } from '@app/immich'; import { AssetController } from '@app/immich';
import { AssetEntity, AssetType } from '@app/infra/entities'; import { AssetEntity, AssetType, SharedLinkType } from '@app/infra/entities';
import { INestApplication } from '@nestjs/common'; import { INestApplication } from '@nestjs/common';
import { api } from '@test/api'; import { api } from '@test/api';
import { errorStub, uuidStub } from '@test/fixtures'; import { errorStub, uuidStub } from '@test/fixtures';
@ -76,6 +77,7 @@ describe(`${AssetController.name} (e2e)`, () => {
let server: any; let server: any;
let assetRepository: IAssetRepository; let assetRepository: IAssetRepository;
let defaultLibrary: LibraryResponseDto; let defaultLibrary: LibraryResponseDto;
let sharedLink: SharedLinkResponseDto;
let user1: LoginResponseDto; let user1: LoginResponseDto;
let user2: LoginResponseDto; let user2: LoginResponseDto;
let asset1: AssetEntity; let asset1: AssetEntity;
@ -114,6 +116,11 @@ describe(`${AssetController.name} (e2e)`, () => {
createAsset(assetRepository, user1, defaultLibrary.id, new Date('1970-02-01')), createAsset(assetRepository, user1, defaultLibrary.id, new Date('1970-02-01')),
createAsset(assetRepository, user2, defaultLibrary.id, new Date('1970-01-01')), createAsset(assetRepository, user2, defaultLibrary.id, new Date('1970-01-01')),
]); ]);
sharedLink = await api.sharedLinkApi.create(server, user1.accessToken, {
type: SharedLinkType.INDIVIDUAL,
assetIds: [asset1.id, asset2.id],
});
}); });
afterAll(async () => { afterAll(async () => {
@ -507,6 +514,15 @@ describe(`${AssetController.name} (e2e)`, () => {
); );
}); });
it('should not allow access for unrelated shared links', async () => {
const { status, body } = await request(server)
.get('/asset/time-buckets')
.query({ key: sharedLink.key, size: TimeBucketSize.MONTH });
expect(status).toBe(400);
expect(body).toEqual(errorStub.noPermission);
});
it('should get time buckets by day', async () => { it('should get time buckets by day', async () => {
const { status, body } = await request(server) const { status, body } = await request(server)
.get('/asset/time-buckets') .get('/asset/time-buckets')