immich-app/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2025-12-26 09:14:58 +03:00
Code Issues Packages Projects Releases 18 Wiki Activity

fix(server): tighten asset visibility (#18699)

Browse Source 
* tighten visibility

* update sql

* elevated access util function

* fix potential sync issue

* include in user stats

* include hidden assets in size usage

* filter visibility in search duplicates query

* stack visibility
This commit is contained in:
Mert
2025-06-02 10:33:08 -04:00
committed by GitHub
parent b5c3a675b2
commit fa22e865a4
21 changed files with 132 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
server/src/services/asset.service.ts
View File

@@ -17,11 +17,16 @@ import { AuthDto } from 'src/dtos/auth.dto';
import { AssetStatus, AssetVisibility, JobName, JobStatus, Permission, QueueName } from 'src/enum';
import { BaseService } from 'src/services/base.service';
import { ISidecarWriteJob, JobItem, JobOf } from 'src/types';
import { requireElevatedPermission } from 'src/utils/access';
import { getAssetFiles, getMyPartnerIds, onAfterUnlink, onBeforeLink, onBeforeUnlink } from 'src/utils/asset.util';
@Injectable()
export class AssetService extends BaseService {
async getStatistics(auth: AuthDto, dto: AssetStatsDto) {
if (dto.visibility === AssetVisibility.LOCKED) {
requireElevatedPermission(auth);
}
const stats = await this.assetRepository.getStatistics(auth.user.id, dto);
return mapStats(stats);
}

18
server/src/services/search.service.ts
View File

@@ -14,8 +14,9 @@ import {
SearchSuggestionType,
SmartSearchDto,
} from 'src/dtos/search.dto';
import { AssetOrder } from 'src/enum';
import { AssetOrder, AssetVisibility } from 'src/enum';
import { BaseService } from 'src/services/base.service';
import { requireElevatedPermission } from 'src/utils/access';
import { getMyPartnerIds } from 'src/utils/asset.util';
import { isSmartSearchEnabled } from 'src/utils/misc';
@@ -40,9 +41,11 @@ export class SearchService extends BaseService {
}
async searchMetadata(auth: AuthDto, dto: MetadataSearchDto): Promise<SearchResponseDto> {
let checksum: Buffer | undefined;
const userIds = await this.getUserIdsToSearch(auth);
if (dto.visibility === AssetVisibility.LOCKED) {
requireElevatedPermission(auth);
}
let checksum: Buffer | undefined;
if (dto.checksum) {
const encoding = dto.checksum.length === 28 ? 'base64' : 'hex';
checksum = Buffer.from(dto.checksum, encoding);
@@ -50,6 +53,7 @@ export class SearchService extends BaseService {
const page = dto.page ?? 1;
const size = dto.size || 250;
const userIds = await this.getUserIdsToSearch(auth);
const { hasNextPage, items } = await this.searchRepository.searchMetadata(
{ page, size },
{
@@ -64,12 +68,20 @@ export class SearchService extends BaseService {
}
async searchRandom(auth: AuthDto, dto: RandomSearchDto): Promise<AssetResponseDto[]> {
if (dto.visibility === AssetVisibility.LOCKED) {
requireElevatedPermission(auth);
}
const userIds = await this.getUserIdsToSearch(auth);
const items = await this.searchRepository.searchRandom(dto.size || 250, { ...dto, userIds });
return items.map((item) => mapAsset(item, { auth }));
}
async searchSmart(auth: AuthDto, dto: SmartSearchDto): Promise<SearchResponseDto> {
if (dto.visibility === AssetVisibility.LOCKED) {
requireElevatedPermission(auth);
}
const { machineLearning } = await this.getConfig({ withCache: false });
if (!isSmartSearchEnabled(machineLearning)) {
throw new BadRequestException('Smart search is not enabled');

5
server/src/services/timeline.service.ts
View File

@@ -4,6 +4,7 @@ import { TimeBucketAssetDto, TimeBucketDto, TimeBucketsResponseDto } from 'src/d
import { AssetVisibility, Permission } from 'src/enum';
import { TimeBucketOptions } from 'src/repositories/asset.repository';
import { BaseService } from 'src/services/base.service';
import { requireElevatedPermission } from 'src/utils/access';
import { getMyPartnerIds } from 'src/utils/asset.util';
@Injectable()
@@ -44,6 +45,10 @@ export class TimelineService extends BaseService {
}
private async timeBucketChecks(auth: AuthDto, dto: TimeBucketDto) {
if (dto.visibility === AssetVisibility.LOCKED) {
requireElevatedPermission(auth);
}
if (dto.albumId) {
await this.requireAccess({ auth, permission: Permission.ALBUM_READ, ids: [dto.albumId] });
} else {