immich-app/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2025-12-21 01:11:16 +03:00
Code Issues Packages Projects Releases 18 Wiki Activity

fix(server): require asset permission when creating an album with them (#8686)

Browse Source 
require asset permission when creating an album with them
This commit is contained in:
Daniel Dietzler
2024-04-10 19:41:22 +02:00
committed by GitHub
parent 56079527ef
commit ad5d115abe
3 changed files with 41 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
server/src/services/album.service.spec.ts
View File

@@ -175,6 +175,7 @@ describe(AlbumService.name, () => {
it('creates album', async () => {
albumMock.create.mockResolvedValue(albumStub.empty);
userMock.get.mockResolvedValue(userStub.user1);
accessMock.asset.checkOwnerAccess.mockResolvedValue(new Set(['123']));
await sut.create(authStub.admin, {
albumName: 'Empty album',
@@ -193,6 +194,7 @@ describe(AlbumService.name, () => {
});
expect(userMock.get).toHaveBeenCalledWith('user-id', {});
expect(accessMock.asset.checkOwnerAccess).toHaveBeenCalledWith(authStub.admin.user.id, new Set(['123']));
});
it('should require valid userIds', async () => {
@@ -206,6 +208,31 @@ describe(AlbumService.name, () => {
expect(userMock.get).toHaveBeenCalledWith('user-3', {});
expect(albumMock.create).not.toHaveBeenCalled();
});
it('should only add assets the user is allowed to access', async () => {
userMock.get.mockResolvedValue(userStub.user1);
albumMock.create.mockResolvedValue(albumStub.oneAsset);
accessMock.asset.checkOwnerAccess.mockResolvedValue(new Set(['asset-1']));
await sut.create(authStub.admin, {
albumName: 'Test album',
description: '',
assetIds: ['asset-1', 'asset-2'],
});
expect(albumMock.create).toHaveBeenCalledWith({
ownerId: authStub.admin.user.id,
albumName: 'Test album',
description: '',
sharedUsers: [],
assets: [{ id: 'asset-1' }],
albumThumbnailAssetId: 'asset-1',
});
expect(accessMock.asset.checkOwnerAccess).toHaveBeenCalledWith(
authStub.admin.user.id,
new Set(['asset-1', 'asset-2']),
);
});
});
describe('update', () => {

7
server/src/services/album.service.ts
View File

@@ -119,13 +119,16 @@ export class AlbumService {
}
}
const allowedAssetIdsSet = await this.access.checkAccess(auth, Permission.ASSET_SHARE, new Set(dto.assetIds));
const assets = [...allowedAssetIdsSet].map((id) => ({ id }) as AssetEntity);
const album = await this.albumRepository.create({
ownerId: auth.user.id,
albumName: dto.albumName,
description: dto.description,
sharedUsers: dto.sharedWithUserIds?.map((value) => ({ id: value }) as UserEntity) ?? [],
assets: (dto.assetIds || []).map((id) => ({ id }) as AssetEntity),
albumThumbnailAssetId: dto.assetIds?.[0] || null,
assets,
albumThumbnailAssetId: assets[0]?.id || null,
});
return mapAlbumWithAssets(album);