mirror of
				https://github.com/immich-app/immich.git
				synced 2025-10-25 16:04:21 -04:00 
			
		
		
		
	fix(server): partner can view archived assets (#9750)
* fix(server): partner can view archived assets * update sql queries
This commit is contained in:
		
							parent
							
								
									9e71256191
								
							
						
					
					
						commit
						8a7b0f66a4
					
				| @ -86,6 +86,8 @@ describe('/asset', () => { | ||||
|       utils.userSetup(admin.accessToken, createUserDto.create('stack')), | ||||
|     ]); | ||||
| 
 | ||||
|     await utils.createPartner(user1.accessToken, user2.userId); | ||||
| 
 | ||||
|     // asset location
 | ||||
|     locationAsset = await utils.createAsset(admin.accessToken, { | ||||
|       assetData: { | ||||
| @ -233,6 +235,35 @@ describe('/asset', () => { | ||||
|       expect(data.status).toBe(200); | ||||
|       expect(data.body).toMatchObject({ people: [] }); | ||||
|     }); | ||||
| 
 | ||||
|     describe('partner assets', () => { | ||||
|       it('should get the asset info', async () => { | ||||
|         const { status, body } = await request(app) | ||||
|           .get(`/asset/${user1Assets[0].id}`) | ||||
|           .set('Authorization', `Bearer ${user2.accessToken}`); | ||||
|         expect(status).toBe(200); | ||||
|         expect(body).toMatchObject({ id: user1Assets[0].id }); | ||||
|       }); | ||||
| 
 | ||||
|       it('disallows viewing archived assets', async () => { | ||||
|         const asset = await utils.createAsset(user1.accessToken, { isArchived: true }); | ||||
| 
 | ||||
|         const { status } = await request(app) | ||||
|           .get(`/asset/${asset.id}`) | ||||
|           .set('Authorization', `Bearer ${user2.accessToken}`); | ||||
|         expect(status).toBe(400); | ||||
|       }); | ||||
| 
 | ||||
|       it('disallows viewing trashed assets', async () => { | ||||
|         const asset = await utils.createAsset(user1.accessToken); | ||||
|         await utils.deleteAssets(user1.accessToken, [asset.id]); | ||||
| 
 | ||||
|         const { status } = await request(app) | ||||
|           .get(`/asset/${asset.id}`) | ||||
|           .set('Authorization', `Bearer ${user2.accessToken}`); | ||||
|         expect(status).toBe(400); | ||||
|       }); | ||||
|     }); | ||||
|   }); | ||||
| 
 | ||||
|   describe('GET /asset/statistics', () => { | ||||
|  | ||||
| @ -13,6 +13,7 @@ import { | ||||
|   createAlbum, | ||||
|   createApiKey, | ||||
|   createLibrary, | ||||
|   createPartner, | ||||
|   createPerson, | ||||
|   createSharedLink, | ||||
|   createUser, | ||||
| @ -385,6 +386,8 @@ export const utils = { | ||||
|   validateLibrary: (accessToken: string, id: string, dto: ValidateLibraryDto) => | ||||
|     validate({ id, validateLibraryDto: dto }, { headers: asBearerAuth(accessToken) }), | ||||
| 
 | ||||
|   createPartner: (accessToken: string, id: string) => createPartner({ id }, { headers: asBearerAuth(accessToken) }), | ||||
| 
 | ||||
|   setAuthCookies: async (context: BrowserContext, accessToken: string) => | ||||
|     await context.addCookies([ | ||||
|       { | ||||
|  | ||||
| @ -153,6 +153,7 @@ FROM | ||||
|   AND ("asset"."deletedAt" IS NULL) | ||||
| WHERE | ||||
|   "partner"."sharedWithId" = $1 | ||||
|   AND "asset"."isArchived" = false | ||||
|   AND "asset"."id" IN ($2) | ||||
| 
 | ||||
| -- AccessRepository.asset.checkSharedLinkAccess | ||||
|  | ||||
| @ -240,6 +240,7 @@ class AssetAccess implements IAssetAccess { | ||||
|       .innerJoin('sharedBy.assets', 'asset') | ||||
|       .select('asset.id', 'assetId') | ||||
|       .where('partner.sharedWithId = :userId', { userId }) | ||||
|       .andWhere('asset.isArchived = false') | ||||
|       .andWhere('asset.id IN (:...assetIds)', { assetIds: [...assetIds] }) | ||||
|       .getRawMany() | ||||
|       .then((rows) => new Set(rows.map((row) => row.assetId))); | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user