immich-app/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2025-12-22 17:24:56 +03:00
Code Issues Packages Projects Releases 18 Wiki Activity

refactor: access core (#11930)

Browse Source
This commit is contained in:
Jason Rasmussen
2024-08-20 07:49:56 -04:00
committed by GitHub
parent c7801eae7e
commit 8285803c95
19 changed files with 415 additions and 496 deletions
Download Patch File Download Diff File Expand all files Collapse all files

273
server/src/utils/access.ts
View File

@@ -1,5 +1,9 @@
import { Permission } from 'src/enum';
import { setIsSuperset } from 'src/utils/set';
import { BadRequestException, UnauthorizedException } from '@nestjs/common';
import { AuthDto } from 'src/dtos/auth.dto';
import { SharedLinkEntity } from 'src/entities/shared-link.entity';
import { AlbumUserRole, Permission } from 'src/enum';
import { IAccessRepository } from 'src/interfaces/access.interface';
import { setDifference, setIsEqual, setIsSuperset, setUnion } from 'src/utils/set';
export type GrantedRequest = {
requested: Permission[];
@@ -13,3 +17,268 @@ export const isGranted = ({ requested, current }: GrantedRequest) => {
return setIsSuperset(new Set(current), new Set(requested));
};
export type AccessRequest = {
auth: AuthDto;
permission: Permission;
ids: Set<string> | string[];
};
type SharedLinkAccessRequest = { sharedLink: SharedLinkEntity; permission: Permission; ids: Set<string> };
type OtherAccessRequest = { auth: AuthDto; permission: Permission; ids: Set<string> };
export const requireUploadAccess = (auth: AuthDto | null): AuthDto => {
if (!auth || (auth.sharedLink && !auth.sharedLink.allowUpload)) {
throw new UnauthorizedException();
}
return auth;
};
export const requireAccess = async (access: IAccessRepository, request: AccessRequest) => {
const allowedIds = await checkAccess(access, request);
if (!setIsEqual(new Set(request.ids), allowedIds)) {
throw new BadRequestException(`Not found or no ${request.permission} access`);
}
};
export const checkAccess = async (access: IAccessRepository, { ids, auth, permission }: AccessRequest) => {
const idSet = Array.isArray(ids) ? new Set(ids) : ids;
if (idSet.size === 0) {
return new Set<string>();
}
return auth.sharedLink
? checkSharedLinkAccess(access, { sharedLink: auth.sharedLink, permission, ids: idSet })
: checkOtherAccess(access, { auth, permission, ids: idSet });
};
const checkSharedLinkAccess = async (access: IAccessRepository, request: SharedLinkAccessRequest) => {
const { sharedLink, permission, ids } = request;
const sharedLinkId = sharedLink.id;
switch (permission) {
case Permission.ASSET_READ: {
return await access.asset.checkSharedLinkAccess(sharedLinkId, ids);
}
case Permission.ASSET_VIEW: {
return await access.asset.checkSharedLinkAccess(sharedLinkId, ids);
}
case Permission.ASSET_DOWNLOAD: {
return sharedLink.allowDownload ? await access.asset.checkSharedLinkAccess(sharedLinkId, ids) : new Set();
}
case Permission.ASSET_UPLOAD: {
return sharedLink.allowUpload ? ids : new Set();
}
case Permission.ASSET_SHARE: {
// TODO: fix this to not use sharedLink.userId for access control
return await access.asset.checkOwnerAccess(sharedLink.userId, ids);
}
case Permission.ALBUM_READ: {
return await access.album.checkSharedLinkAccess(sharedLinkId, ids);
}
case Permission.ALBUM_DOWNLOAD: {
return sharedLink.allowDownload ? await access.album.checkSharedLinkAccess(sharedLinkId, ids) : new Set();
}
case Permission.ALBUM_ADD_ASSET: {
return sharedLink.allowUpload ? await access.album.checkSharedLinkAccess(sharedLinkId, ids) : new Set();
}
default: {
return new Set<string>();
}
}
};
const checkOtherAccess = async (access: IAccessRepository, request: OtherAccessRequest) => {
const { auth, permission, ids } = request;
switch (permission) {
// uses album id
case Permission.ACTIVITY_CREATE: {
return await access.activity.checkCreateAccess(auth.user.id, ids);
}
// uses activity id
case Permission.ACTIVITY_DELETE: {
const isOwner = await access.activity.checkOwnerAccess(auth.user.id, ids);
const isAlbumOwner = await access.activity.checkAlbumOwnerAccess(auth.user.id, setDifference(ids, isOwner));
return setUnion(isOwner, isAlbumOwner);
}
case Permission.ASSET_READ: {
const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids);
const isAlbum = await access.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner));
const isPartner = await access.asset.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner, isAlbum));
return setUnion(isOwner, isAlbum, isPartner);
}
case Permission.ASSET_SHARE: {
const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids);
const isPartner = await access.asset.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner));
return setUnion(isOwner, isPartner);
}
case Permission.ASSET_VIEW: {
const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids);
const isAlbum = await access.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner));
const isPartner = await access.asset.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner, isAlbum));
return setUnion(isOwner, isAlbum, isPartner);
}
case Permission.ASSET_DOWNLOAD: {
const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids);
const isAlbum = await access.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner));
const isPartner = await access.asset.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner, isAlbum));
return setUnion(isOwner, isAlbum, isPartner);
}
case Permission.ASSET_UPDATE: {
return await access.asset.checkOwnerAccess(auth.user.id, ids);
}
case Permission.ASSET_DELETE: {
return await access.asset.checkOwnerAccess(auth.user.id, ids);
}
case Permission.ASSET_RESTORE: {
return await access.asset.checkOwnerAccess(auth.user.id, ids);
}
case Permission.ALBUM_READ: {
const isOwner = await access.album.checkOwnerAccess(auth.user.id, ids);
const isShared = await access.album.checkSharedAlbumAccess(
auth.user.id,
setDifference(ids, isOwner),
AlbumUserRole.VIEWER,
);
return setUnion(isOwner, isShared);
}
case Permission.ALBUM_ADD_ASSET: {
const isOwner = await access.album.checkOwnerAccess(auth.user.id, ids);
const isShared = await access.album.checkSharedAlbumAccess(
auth.user.id,
setDifference(ids, isOwner),
AlbumUserRole.EDITOR,
);
return setUnion(isOwner, isShared);
}
case Permission.ALBUM_UPDATE: {
return await access.album.checkOwnerAccess(auth.user.id, ids);
}
case Permission.ALBUM_DELETE: {
return await access.album.checkOwnerAccess(auth.user.id, ids);
}
case Permission.ALBUM_SHARE: {
return await access.album.checkOwnerAccess(auth.user.id, ids);
}
case Permission.ALBUM_DOWNLOAD: {
const isOwner = await access.album.checkOwnerAccess(auth.user.id, ids);
const isShared = await access.album.checkSharedAlbumAccess(
auth.user.id,
setDifference(ids, isOwner),
AlbumUserRole.VIEWER,
);
return setUnion(isOwner, isShared);
}
case Permission.ALBUM_REMOVE_ASSET: {
const isOwner = await access.album.checkOwnerAccess(auth.user.id, ids);
const isShared = await access.album.checkSharedAlbumAccess(
auth.user.id,
setDifference(ids, isOwner),
AlbumUserRole.EDITOR,
);
return setUnion(isOwner, isShared);
}
case Permission.ASSET_UPLOAD: {
return ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set<string>();
}
case Permission.ARCHIVE_READ: {
return ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set();
}
case Permission.AUTH_DEVICE_DELETE: {
return await access.authDevice.checkOwnerAccess(auth.user.id, ids);
}
case Permission.TIMELINE_READ: {
const isOwner = ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set<string>();
const isPartner = await access.timeline.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner));
return setUnion(isOwner, isPartner);
}
case Permission.TIMELINE_DOWNLOAD: {
return ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set();
}
case Permission.MEMORY_READ: {
return access.memory.checkOwnerAccess(auth.user.id, ids);
}
case Permission.MEMORY_UPDATE: {
return access.memory.checkOwnerAccess(auth.user.id, ids);
}
case Permission.MEMORY_DELETE: {
return access.memory.checkOwnerAccess(auth.user.id, ids);
}
case Permission.MEMORY_DELETE: {
return access.memory.checkOwnerAccess(auth.user.id, ids);
}
case Permission.PERSON_READ: {
return await access.person.checkOwnerAccess(auth.user.id, ids);
}
case Permission.PERSON_UPDATE: {
return await access.person.checkOwnerAccess(auth.user.id, ids);
}
case Permission.PERSON_MERGE: {
return await access.person.checkOwnerAccess(auth.user.id, ids);
}
case Permission.PERSON_CREATE: {
return access.person.checkFaceOwnerAccess(auth.user.id, ids);
}
case Permission.PERSON_REASSIGN: {
return access.person.checkFaceOwnerAccess(auth.user.id, ids);
}
case Permission.PARTNER_UPDATE: {
return await access.partner.checkUpdateAccess(auth.user.id, ids);
}
case Permission.STACK_READ: {
return access.stack.checkOwnerAccess(auth.user.id, ids);
}
case Permission.STACK_UPDATE: {
return access.stack.checkOwnerAccess(auth.user.id, ids);
}
case Permission.STACK_DELETE: {
return access.stack.checkOwnerAccess(auth.user.id, ids);
}
default: {
return new Set<string>();
}
}
};

31
server/src/utils/asset.util.ts
View File

@@ -1,10 +1,10 @@
import { AccessCore } from 'src/cores/access.core';
import { BulkIdErrorReason, BulkIdResponseDto } from 'src/dtos/asset-ids.response.dto';
import { AuthDto } from 'src/dtos/auth.dto';
import { AssetFileEntity } from 'src/entities/asset-files.entity';
import { AssetFileType, Permission } from 'src/enum';
import { IAccessRepository } from 'src/interfaces/access.interface';
import { IPartnerRepository } from 'src/interfaces/partner.interface';
import { checkAccess } from 'src/utils/access';
export interface IBulkAsset {
getAssetIds: (id: string, assetIds: string[]) => Promise<Set<string>>;
@@ -23,15 +23,17 @@ export const getAssetFiles = (files?: AssetFileEntity[]) => ({
export const addAssets = async (
auth: AuthDto,
repositories: { accessRepository: IAccessRepository; repository: IBulkAsset },
repositories: { access: IAccessRepository; bulk: IBulkAsset },
dto: { parentId: string; assetIds: string[] },
) => {
const { accessRepository, repository } = repositories;
const access = AccessCore.create(accessRepository);
const existingAssetIds = await repository.getAssetIds(dto.parentId, dto.assetIds);
const { access, bulk } = repositories;
const existingAssetIds = await bulk.getAssetIds(dto.parentId, dto.assetIds);
const notPresentAssetIds = dto.assetIds.filter((id) => !existingAssetIds.has(id));
const allowedAssetIds = await access.checkAccess(auth, Permission.ASSET_SHARE, notPresentAssetIds);
const allowedAssetIds = await checkAccess(access, {
auth,
permission: Permission.ASSET_SHARE,
ids: notPresentAssetIds,
});
const results: BulkIdResponseDto[] = [];
for (const assetId of dto.assetIds) {
@@ -53,7 +55,7 @@ export const addAssets = async (
const newAssetIds = results.filter(({ success }) => success).map(({ id }) => id);
if (newAssetIds.length > 0) {
await repository.addAssetIds(dto.parentId, newAssetIds);
await bulk.addAssetIds(dto.parentId, newAssetIds);
}
return results;
@@ -61,18 +63,17 @@ export const addAssets = async (
export const removeAssets = async (
auth: AuthDto,
repositories: { accessRepository: IAccessRepository; repository: IBulkAsset },
repositories: { access: IAccessRepository; bulk: IBulkAsset },
dto: { parentId: string; assetIds: string[]; canAlwaysRemove: Permission },
) => {
const { accessRepository, repository } = repositories;
const access = AccessCore.create(accessRepository);
const { access, bulk } = repositories;
// check if the user can always remove from the parent album, memory, etc.
const canAlwaysRemove = await access.checkAccess(auth, dto.canAlwaysRemove, [dto.parentId]);
const existingAssetIds = await repository.getAssetIds(dto.parentId, dto.assetIds);
const canAlwaysRemove = await checkAccess(access, { auth, permission: dto.canAlwaysRemove, ids: [dto.parentId] });
const existingAssetIds = await bulk.getAssetIds(dto.parentId, dto.assetIds);
const allowedAssetIds = canAlwaysRemove.has(dto.parentId)
? existingAssetIds
: await access.checkAccess(auth, Permission.ASSET_SHARE, existingAssetIds);
: await checkAccess(access, { auth, permission: Permission.ASSET_SHARE, ids: existingAssetIds });
const results: BulkIdResponseDto[] = [];
for (const assetId of dto.assetIds) {
@@ -94,7 +95,7 @@ export const removeAssets = async (
const removedIds = results.filter(({ success }) => success).map(({ id }) => id);
if (removedIds.length > 0) {
await repository.removeAssetIds(dto.parentId, removedIds);
await bulk.removeAssetIds(dto.parentId, removedIds);
}
return results;