From 35fcca625445d0ac8853a7effb4390152b26a23a Mon Sep 17 00:00:00 2001 From: Daniel Dietzler <36593685+danieldietzler@users.noreply.github.com> Date: Mon, 13 Jul 2026 22:03:20 +0200 Subject: [PATCH] fix: locked visibility in search random endpoint (#29887) --- server/src/services/search.service.ts | 6 +++++- .../medium/specs/services/search.service.spec.ts | 15 +++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/server/src/services/search.service.ts b/server/src/services/search.service.ts index 46cbefa35c..bef85fee58 100644 --- a/server/src/services/search.service.ts +++ b/server/src/services/search.service.ts @@ -118,7 +118,11 @@ export class SearchService extends BaseService { } const userIds = await this.getUserIdsToSearch(auth, dto.visibility); - const items = await this.searchRepository.searchRandom(dto.size || 250, { ...dto, userIds }); + const items = await this.searchRepository.searchRandom(dto.size || 250, { + ...dto, + visibility: dto.visibility ?? (auth.session?.hasElevatedPermission ? undefined : 'not-locked'), + userIds, + }); return items.map((item) => mapAsset(item, { auth })); } diff --git a/server/test/medium/specs/services/search.service.spec.ts b/server/test/medium/specs/services/search.service.spec.ts index 171d97103b..a92042e40a 100644 --- a/server/test/medium/specs/services/search.service.spec.ts +++ b/server/test/medium/specs/services/search.service.spec.ts @@ -196,4 +196,19 @@ describe(SearchService.name, () => { expect(suggestions).toEqual(['Canon', null]); }); }); + + describe('searchRandom', () => { + it('should filter out locked assets in a default session', async () => { + const { sut, ctx } = setup(); + const { user } = await ctx.newUser(); + + await ctx.newAsset({ ownerId: user.id, visibility: AssetVisibility.Locked }); + + const auth = factory.auth({ user: { id: user.id } }); + + const response = await sut.searchRandom(auth, {}); + + expect(response.length).toBe(0); + }); + }); });