fix(server): prevent locked assets from leaking to partners (#28652 )

* fix(server): prevent locked assets from leaking to partners * fix tests
2026-05-27 18:12:31 -04:00 · 2026-05-27 17:33:49 -04:00
8 changed files with 55 additions and 41 deletions
@@ -75,7 +75,7 @@ export class SearchService extends BaseService {

    const page = dto.page ?? 1;
    const size = dto.size || 250;
-    const userIds = await this.getUserIdsToSearch(auth);
+    const userIds = await this.getUserIdsToSearch(auth, dto.visibility);
    const { hasNextPage, items } = await this.searchRepository.searchMetadata(
      { page, size },
      {
@@ -103,7 +103,7 @@ export class SearchService extends BaseService {
      requireElevatedPermission(auth);
    }

-    const userIds = await this.getUserIdsToSearch(auth);
+    const userIds = await this.getUserIdsToSearch(auth, dto.visibility);
    const items = await this.searchRepository.searchRandom(dto.size || 250, { ...dto, userIds });
    return items.map((item) => mapAsset(item, { auth }));
  }
@@ -113,7 +113,7 @@ export class SearchService extends BaseService {
      requireElevatedPermission(auth);
    }

-    const userIds = await this.getUserIdsToSearch(auth);
+    const userIds = await this.getUserIdsToSearch(auth, dto.visibility);
    const items = await this.searchRepository.searchLargeAssets(dto.size || 250, { ...dto, userIds });
    return items.map((item) => mapAsset(item, { auth }));
  }
@@ -128,7 +128,7 @@ export class SearchService extends BaseService {
      throw new BadRequestException('Smart search is not enabled');
    }

-    const userIds = this.getUserIdsToSearch(auth);
+    const userIds = this.getUserIdsToSearch(auth, dto.visibility);
    let embedding;
    if (dto.query) {
      const key = machineLearning.clip.modelName + dto.query + dto.language;
@@ -202,7 +202,11 @@ export class SearchService extends BaseService {
    }
  }

-  private async getUserIdsToSearch(auth: AuthDto): Promise<string[]> {
+  private async getUserIdsToSearch(auth: AuthDto, visibility?: AssetVisibility): Promise<string[]> {
+    // Locked assets are personal. Never include partner IDs, regardless of A's elevated session.
+    if (visibility === AssetVisibility.Locked) {
+      return [auth.user.id];
+    }
    const partnerIds = await getMyPartnerIds({
      userId: auth.user.id,
      repository: this.partnerRepository,
@@ -204,5 +204,16 @@ describe(TimelineService.name, () => {
        }),
      ).rejects.toThrow(BadRequestException);
    });
+
+    it('should throw an error if withPartners is true and visibility is locked', async () => {
+      await expect(
+        sut.getTimeBucket(authStub.adminWithElevatedPermission, {
+          timeBucket: 'bucket',
+          visibility: AssetVisibility.Locked,
+          withPartners: true,
+          userId: authStub.adminWithElevatedPermission.user.id,
+        }),
+      ).rejects.toThrow(BadRequestException);
+    });
  });
 });
@@ -71,13 +71,14 @@ export class TimelineService extends BaseService {
    }

    if (dto.withPartners) {
+      const requestedLocked = dto.visibility === AssetVisibility.Locked;
      const requestedArchived = dto.visibility === AssetVisibility.Archive || dto.visibility === undefined;
      const requestedFavorite = dto.isFavorite === true || dto.isFavorite === false;
      const requestedTrash = dto.isTrashed === true;

-      if (requestedArchived || requestedFavorite || requestedTrash) {
+      if (requestedLocked || requestedArchived || requestedFavorite || requestedTrash) {
        throw new BadRequestException(
-          'withPartners is only supported for non-archived, non-trashed, non-favorited assets',
+          'withPartners is only supported for non-archived, non-trashed, non-favorited, non-locked assets',
        );
      }
    }
@@ -41,6 +41,13 @@ export const authStub = {
      id: 'token-id',
    } as AuthSession,
  }),
+  adminWithElevatedPermission: Object.freeze<AuthDto>({
+    user: authUser.admin,
+    session: {
+      id: 'token-id-elevated',
+      hasElevatedPermission: true,
+    } as AuthSession,
+  }),
  adminSharedLink: Object.freeze({
    user: authUser.admin,
    sharedLink: {
@@ -51,13 +51,13 @@ describe(TimelineService.name, () => {
      const response1 = sut.getTimeBuckets(auth, { withPartners: true, visibility: AssetVisibility.Archive });
      await expect(response1).rejects.toBeInstanceOf(BadRequestException);
      await expect(response1).rejects.toThrow(
-        'withPartners is only supported for non-archived, non-trashed, non-favorited assets',
+        'withPartners is only supported for non-archived, non-trashed, non-favorited, non-locked assets',
      );

      const response2 = sut.getTimeBuckets(auth, { withPartners: true });
      await expect(response2).rejects.toBeInstanceOf(BadRequestException);
      await expect(response2).rejects.toThrow(
-        'withPartners is only supported for non-archived, non-trashed, non-favorited assets',
+        'withPartners is only supported for non-archived, non-trashed, non-favorited, non-locked assets',
      );
    });

@@ -67,13 +67,13 @@ describe(TimelineService.name, () => {
      const response1 = sut.getTimeBuckets(auth, { withPartners: true, isFavorite: false });
      await expect(response1).rejects.toBeInstanceOf(BadRequestException);
      await expect(response1).rejects.toThrow(
-        'withPartners is only supported for non-archived, non-trashed, non-favorited assets',
+        'withPartners is only supported for non-archived, non-trashed, non-favorited, non-locked assets',
      );

      const response2 = sut.getTimeBuckets(auth, { withPartners: true, isFavorite: true });
      await expect(response2).rejects.toBeInstanceOf(BadRequestException);
      await expect(response2).rejects.toThrow(
-        'withPartners is only supported for non-archived, non-trashed, non-favorited assets',
+        'withPartners is only supported for non-archived, non-trashed, non-favorited, non-locked assets',
      );
    });

@@ -83,7 +83,7 @@ describe(TimelineService.name, () => {
      const response = sut.getTimeBuckets(auth, { withPartners: true, isTrashed: true });
      await expect(response).rejects.toBeInstanceOf(BadRequestException);
      await expect(response).rejects.toThrow(
-        'withPartners is only supported for non-archived, non-trashed, non-favorited assets',
+        'withPartners is only supported for non-archived, non-trashed, non-favorited, non-locked assets',
      );
    });

@@ -67,11 +67,3 @@ export function calculateViewerAssetViewportProximity(
    timelineManager.visibleWindow.bottom + headerHeight,
  );
 }
-
-export function calculateViewerAssetIsInOrNearViewport(
-  timelineManager: TimelineManager,
-  positionTop: number,
-  positionHeight: number,
-) {
-  return isInOrNearViewport(calculateViewerAssetViewportProximity(timelineManager, positionTop, positionHeight));
-}
@@ -29,8 +29,7 @@ import type { AssetDescriptor, Direction, MoveAsset, TimelineAsset } from './typ
 import { ViewerAsset } from './viewer-asset.svelte';

 export class TimelineMonth {
-  #isInOrNearViewport = $state(false);
-  #isInViewport = $state(false);
+  #viewportProximity: ViewportProximity = $state(ViewportProximity.FarFromViewport);
  isLoaded: boolean = $state(false);
  timelineDays: TimelineDay[] = $state([]);
  readonly timelineManager: TimelineManager;
@@ -86,28 +85,24 @@ export class TimelineMonth {
  }

  set viewportProximity(newValue: ViewportProximity) {
-    const isInOrNearViewport = isInOrNearViewportUtil(newValue);
-    if (this.#isInOrNearViewport !== isInOrNearViewport) {
-      this.#isInOrNearViewport = isInOrNearViewport;
-      if (isInOrNearViewport) {
-        void this.timelineManager.loadTimelineMonth(this.yearMonth);
-      } else {
-        this.cancel();
-      }
+    const old = this.#viewportProximity;
+    if (old === newValue) {
+      return;
    }
-
-    const isInViewport = isInViewportUtil(newValue);
-    if (this.#isInViewport !== isInViewport) {
-      this.#isInViewport = isInViewport;
+    this.#viewportProximity = newValue;
+    if (isInOrNearViewportUtil(newValue)) {
+      void this.timelineManager.loadTimelineMonth(this.yearMonth);
+    } else {
+      this.cancel();
    }
  }

  get isInOrNearViewport() {
-    return this.#isInOrNearViewport;
+    return isInOrNearViewportUtil(this.#viewportProximity);
  }

  get isInViewport() {
-    return this.#isInViewport;
+    return isInViewportUtil(this.#viewportProximity);
  }

  get lastTimelineDay() {
@@ -1,24 +1,28 @@
 import type { CommonPosition } from '$lib/utils/layout-utils';
-import { calculateViewerAssetIsInOrNearViewport } from './internal/intersection-support.svelte';
+import {
+  ViewportProximity,
+  calculateViewerAssetViewportProximity,
+  isInOrNearViewport,
+} from './internal/intersection-support.svelte';
 import type { TimelineDay } from './timeline-day.svelte';
 import type { TimelineAsset } from './types';

 export class ViewerAsset {
  readonly #group: TimelineDay;

-  #isInOrNearViewport = $derived.by(() => {
+  #viewportProximity = $derived.by(() => {
    if (!this.position) {
-      return false;
+      return ViewportProximity.FarFromViewport;
    }

    const store = this.#group.timelineMonth.timelineManager;
    const positionTop = this.#group.absoluteTimelineDayTop + this.position.top;

-    return calculateViewerAssetIsInOrNearViewport(store, positionTop, this.position.height);
+    return calculateViewerAssetViewportProximity(store, positionTop, this.position.height);
  });

  get isInOrNearViewport() {
-    return this.#isInOrNearViewport;
+    return isInOrNearViewport(this.#viewportProximity);
  }

  position: CommonPosition | undefined = $state.raw();