docs: admin-only library settings (#7716)
* document admin-only library settings * renew library guide
| @ -38,7 +38,7 @@ Note: Either a manual or scheduled library scan must have been performed to iden | ||||
| 
 | ||||
| In all above scan methods, Immich will check if any files are missing. This can happen if files are deleted, or if they are on a storage location that is currently unavailable, like a network drive that is not mounted, or a USB drive that has been unplugged. In order to prevent accidental deletion of assets, Immich will not immediately delete an asset from the library if the file is missing. Instead, the asset will be internally marked as offline and will still be visible in the main timeline. If the file is moved back to its original location and the library is scanned again, the asset will be restored. | ||||
| 
 | ||||
| Finally, files can be deleted from Immich via the `Remove Offline Files` job. This job can be found by the three dots menu for the associated external storage that was configured under user account settings > libraries (the same location described at [create external libraries](#create-external-libraries)). When this job is run, any assets marked as offline will then be removed from Immich. Run this job whenever files have been deleted from the file system and you want to remove them from Immich. | ||||
| Finally, files can be deleted from Immich via the `Remove Offline Files` job. This job can be found by the three dots menu for the associated external storage that was configured under Administration > Libraries (the same location described at [create external libraries](#create-external-libraries)). When this job is run, any assets marked as offline will then be removed from Immich. Run this job whenever files have been deleted from the file system and you want to remove them from Immich. | ||||
| 
 | ||||
| ### Import Paths | ||||
| 
 | ||||
| @ -50,8 +50,6 @@ If the import paths are edited in a way that an external file is no longer in an | ||||
| 
 | ||||
| Sometimes, an external library will not scan correctly. This can happen if immich_server or immich_microservices can't access the files. Here are some things to check: | ||||
| 
 | ||||
| - Is the external path set correctly? Each import path must be contained in the external path. | ||||
| - Make sure the external path does not contain spaces | ||||
| - In the docker-compose file, are the volumes mounted correctly? | ||||
| - Are the volumes identical between the `server` and `microservices` container? | ||||
| - Are the import paths set correctly, and do they match the path set in docker-compose file? | ||||
| @ -61,18 +59,6 @@ Sometimes, an external library will not scan correctly. This can happen if immic | ||||
| 
 | ||||
| To validate that Immich can reach your external library, start a shell inside the container. Run `docker exec -it immich_microservices /bin/bash` to a bash shell. If your import path is `/data/import/photos`, check it with `ls /data/import/photos`. Do the same check for the `immich_server` container. If you cannot access this directory in both the `microservices` and `server` containers, Immich won't be able to import files. | ||||
| 
 | ||||
| ### Security Considerations | ||||
| 
 | ||||
| :::caution | ||||
| 
 | ||||
| Please read and understand this section before setting external paths, as there are important security considerations. | ||||
| 
 | ||||
| ::: | ||||
| 
 | ||||
| For security purposes, each Immich user is disallowed to add external files by default. This is to prevent devastating [path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal). An admin can allow individual users to use external path feature via the `external path` setting found in the admin panel. Without the external path restriction, a user can add any image or video file on the Immich host filesystem to be imported into Immich, potentially allowing sensitive data to be accessed. If you are running Immich as root in your Docker setup (which is the default), all external file reads are done with root privileges. This is particularly dangerous if the Immich host is a shared server. | ||||
| 
 | ||||
| With the `external path` set, a user is restricted to accessing external files to files or directories within that path. The Immich admin should still be careful not set the external path too generously. For example, `user1` wants to read their photos in to `/home/user1`. A lazy admin sets that user's external path to `/home/` since it "gets the job done". However, that user will then be able to read all photos in `/home/user2/private-photos`, too! Please set the external path as specific as possible. If multiple folders must be added, do this using the docker volume mount feature described below. | ||||
| 
 | ||||
| ### Exclusion Patterns | ||||
| 
 | ||||
| By default, all files in the import paths will be added to the library. If there are files that should not be added, exclusion patterns can be used to exclude them. Exclusion patterns are glob patterns are matched against the full file path. If a file matches an exclusion pattern, it will not be added to the library. Exclusion patterns can be added in the Scan Settings page for each library. Under the hood, Immich uses the [glob](https://www.npmjs.com/package/glob) package to match patterns, so please refer to [their documentation](https://github.com/isaacs/node-glob#glob-primer) to see what patterns are supported. | ||||
| @ -145,27 +131,13 @@ The `ro` flag at the end only gives read-only access to the volumes. While Immic | ||||
| _Remember to bring the container `docker compose down/up` to register the changes. Make sure you can see the mounted path in the container._ | ||||
| ::: | ||||
| 
 | ||||
| ### Set External Path | ||||
| 
 | ||||
| Only an admin can do this. | ||||
| 
 | ||||
| - Navigate to `Administration > Users` page on the web. | ||||
| - Click on the user edit button. | ||||
| - Set `/mnt/media` to be the external path. This folder will only contain the three folders that we want to import, so nothing else can be accessed. | ||||
|   :::note | ||||
|   Spaces in the internal path aren't currently supported. | ||||
| 
 | ||||
|   You must import it as: | ||||
|   `..:/mnt/media/my-media:ro` | ||||
|   instead of | ||||
|   `..:/mnt/media/my media:ro` | ||||
|   ::: | ||||
| 
 | ||||
| ### Create External Libraries | ||||
| 
 | ||||
| - Click on your user name in the top right corner -> Account Settings | ||||
| - Click on Libraries | ||||
| These actions must be performed by the Immich administrator. | ||||
| 
 | ||||
| - Click on Administration -> Libraries | ||||
| - Click on Create External Library | ||||
| - Select which user owns the library, this can not be changed later | ||||
| - Click the drop-down menu on the newly created library | ||||
| - Click on Rename Library and rename it to "Christmas Trip" | ||||
| - Click Edit Import Paths | ||||
| @ -176,7 +148,7 @@ NOTE: We have to use the `/mnt/media/christmas-trip` path and not the `/mnt/nas/ | ||||
| 
 | ||||
| Next, we'll add an exclusion pattern to filter out raw files. | ||||
| 
 | ||||
| - Click the drop-down menu on the newly christmas library | ||||
| - Click the drop-down menu on the newly-created Christmas library | ||||
| - Click on Manage | ||||
| - Click on Scan Settings | ||||
| - Click on Add Exclusion Pattern | ||||
|  | ||||
| @ -11,23 +11,11 @@ Edit `docker-compose.yml` to add two new mount points under `volumes:` | ||||
| ``` | ||||
|   immich-server: | ||||
|     volumes: | ||||
|       - ${EXTERNAL_PATH}:/usr/src/app/external | ||||
|       - /path/to/photos/on/host:/usr/src/app/external | ||||
| ``` | ||||
| 
 | ||||
| Be sure to add exactly the same line to both `immich-server:` and `immich-microservices:`. | ||||
| 
 | ||||
| Edit `.env` to define `EXTERNAL_PATH`, substituting in the correct path for your computer: | ||||
| 
 | ||||
| ``` | ||||
| EXTERNAL_PATH=<your-path-here> | ||||
| ``` | ||||
| 
 | ||||
| On my computer, for example, I use this path: | ||||
| 
 | ||||
| ``` | ||||
| EXTERNAL_PATH=/home/tenino/photos | ||||
| ``` | ||||
| 
 | ||||
| Restart Immich. | ||||
| 
 | ||||
| ``` | ||||
| @ -35,42 +23,21 @@ docker compose down | ||||
| docker compose up -d | ||||
| ``` | ||||
| 
 | ||||
| # Set the External Path | ||||
| # Create the library | ||||
| 
 | ||||
| In the Immich web UI: | ||||
| 
 | ||||
| - click the **Administration** link in the upper right corner. | ||||
|   <img src={require('./img/administration-link.png').default} width="50%" title="Administration link" /> | ||||
| 
 | ||||
| - Select the **Users** tab | ||||
|   <img src={require('./img/users-tab.png').default} width="50%" title="Users tab" /> | ||||
| - Select the **External Libraries** tab | ||||
|   <img src={require('./img/external-libraries.png').default} width="50%" title="External Libraries tab" /> | ||||
| 
 | ||||
| - Select the **pencil** next to your user ID | ||||
|   <img src={require('./img/pencil.png').default} width="50%" title="Pencil" /> | ||||
| - Click the **Create Library** button | ||||
|   <img src={require('./img/create-external-library.png').default} width="50%" title="Create Library button" /> | ||||
| 
 | ||||
| - Fill in the **External Path** field with `/usr/src/app/external` | ||||
|   <img src={require('./img/external-path.png').default} width="50%" title="External Path field" /> | ||||
| 
 | ||||
| Notice this matches the path _inside the container_ where we mounted your photos. | ||||
| The purpose of the external path field is for administrators who have multiple users | ||||
| on their Immich instance. It lets you prevent other authorized users from | ||||
| navigating to your external library. | ||||
| 
 | ||||
| # Import the library | ||||
| 
 | ||||
| In the Immich web UI: | ||||
| 
 | ||||
| - Click your user avatar in the upper-right corner (circle with your initials) | ||||
|   <img src={require('./img/user-avatar.png').default} width="50%" title="User avatar" /> | ||||
| 
 | ||||
| - Click **Account Settings** | ||||
|   <img src={require('./img/account-settings.png').default} width="50%" title="Account Settings button" /> | ||||
| 
 | ||||
| - Click to expand **Libraries** | ||||
|   <img src={require('./img/libraries-dropdown.png').default} width="50%" title="Libraries dropdown" /> | ||||
| 
 | ||||
| - Click the **Create External Library** button | ||||
|   <img src={require('./img/create-external-library-button.png').default} width="50%" title="Create External Library button" /> | ||||
| - In the dialog, select which user should own the new library | ||||
|   <img src={require('./img/library-owner.png').default} width="50%" title="Library owner diaglog" /> | ||||
| 
 | ||||
| - Click the three-dots menu and select **Edit Import Paths** | ||||
|   <img src={require('./img/edit-import-paths.png').default} width="50%" title="Edit Import Paths menu option" /> | ||||
|  | ||||
| Before Width: | Height: | Size: 26 KiB | 
| Before Width: | Height: | Size: 5.7 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/docs/guides/img/create-external-library.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 3.7 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/docs/guides/img/external-libraries.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 5.7 KiB | 
| Before Width: | Height: | Size: 12 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/docs/guides/img/library-owner.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						| After Width: | Height: | Size: 14 KiB | 
| Before Width: | Height: | Size: 3.0 KiB | 
| Before Width: | Height: | Size: 15 KiB |