Cutlery/immich
1
0
Fork 1
mirror of https://github.com/immich-app/immich.git synced 2025-07-31 15:08:44 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: default route permission (#20113)

Browse Source
This commit is contained in:
Jason Rasmussen 2025-07-23 16:56:38 -04:00 committed by GitHub
parent a675922172
commit bc8cb9b671
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 28 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
server/src/services/auth.service.spec.ts
View File

@ -459,18 +459,34 @@ describe(AuthService.name, () => {
mocks.apiKey.getKey.mockResolvedValue({ ...authApiKey, user: authUser }); mocks.apiKey.getKey.mockResolvedValue({ ...authApiKey, user: authUser });
await expect( const result = sut.authenticate({
sut.authenticate({
headers: { 'x-api-key': 'auth_token' }, headers: { 'x-api-key': 'auth_token' },
queryParams: {}, queryParams: {},
metadata: { adminRoute: false, sharedLinkRoute: false, uri: 'test', permission: Permission.AssetRead }, metadata: { adminRoute: false, sharedLinkRoute: false, uri: 'test', permission: Permission.AssetRead },
}), });
).rejects.toBeInstanceOf(ForbiddenException);
await expect(result).rejects.toBeInstanceOf(ForbiddenException);
await expect(result).rejects.toThrow('Missing required permission: asset.read');
});
it('should default to requiring the all permission when omitted', async () => {
const authUser = factory.authUser();
const authApiKey = factory.authApiKey({ permissions: [Permission.AssetRead] });
mocks.apiKey.getKey.mockResolvedValue({ ...authApiKey, user: authUser });
const result = sut.authenticate({
headers: { 'x-api-key': 'auth_token' },
queryParams: {},
metadata: { adminRoute: false, sharedLinkRoute: false, uri: 'test' },
});
await expect(result).rejects.toBeInstanceOf(ForbiddenException);
await expect(result).rejects.toThrow('Missing required permission: all');
}); });
it('should return an auth dto', async () => { it('should return an auth dto', async () => {
const authUser = factory.authUser(); const authUser = factory.authUser();
const authApiKey = factory.authApiKey({ permissions: [] }); const authApiKey = factory.authApiKey({ permissions: [Permission.All] });
mocks.apiKey.getKey.mockResolvedValue({ ...authApiKey, user: authUser }); mocks.apiKey.getKey.mockResolvedValue({ ...authApiKey, user: authUser });

7
server/src/services/auth.service.ts
View File

@ -174,7 +174,8 @@ export class AuthService extends BaseService {
async authenticate({ headers, queryParams, metadata }: ValidateRequest): Promise<AuthDto> { async authenticate({ headers, queryParams, metadata }: ValidateRequest): Promise<AuthDto> {
const authDto = await this.validate({ headers, queryParams }); const authDto = await this.validate({ headers, queryParams });
const { adminRoute, sharedLinkRoute, permission, uri } = metadata; const { adminRoute, sharedLinkRoute, uri } = metadata;
const requestedPermission = metadata.permission ?? Permission.All;
if (!authDto.user.isAdmin && adminRoute) { if (!authDto.user.isAdmin && adminRoute) {
this.logger.warn(`Denied access to admin only route: ${uri}`); this.logger.warn(`Denied access to admin only route: ${uri}`);
@ -186,8 +187,8 @@ export class AuthService extends BaseService {
throw new ForbiddenException('Forbidden'); throw new ForbiddenException('Forbidden');
} }
if (authDto.apiKey && permission && !isGranted({ requested: [permission], current: authDto.apiKey.permissions })) { if (authDto.apiKey && !isGranted({ requested: [requestedPermission], current: authDto.apiKey.permissions })) {
throw new ForbiddenException(`Missing required permission: ${permission}`); throw new ForbiddenException(`Missing required permission: ${requestedPermission}`);
} }
return authDto; return authDto;