KevinMidboe/immich
1
0
Fork 0
mirror of https://github.com/KevinMidboe/immich.git synced 2025-10-29 17:40:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(web,server): disable partner's archive access (#3695)

Browse Source
This commit is contained in:
Sergey Kondrikov
2023-08-15 19:02:38 +03:00
committed by GitHub
parent efc7fdb669
commit 74da15e20d
3 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
server/src/domain/access/access.core.ts
View File

@@ -19,6 +19,8 @@ export enum Permission {
ALBUM_SHARE = 'album.share',
ALBUM_DOWNLOAD = 'album.download',
ARCHIVE_READ = 'archive.read',
LIBRARY_READ = 'library.read',
LIBRARY_DOWNLOAD = 'library.download',
}
@@ -156,6 +158,9 @@ export class AccessCore {
case Permission.ALBUM_REMOVE_ASSET:
return this.repository.album.hasOwnerAccess(authUser.id, id);
case Permission.ARCHIVE_READ:
return authUser.id === id;
case Permission.LIBRARY_READ:
return authUser.id === id || (await this.repository.library.hasPartnerAccess(authUser.id, id));

3
server/src/domain/asset/asset.service.ts
View File

@@ -148,6 +148,9 @@ export class AssetService {
if (dto.albumId) {
await this.access.requirePermission(authUser, Permission.ALBUM_READ, [dto.albumId]);
} else if (dto.userId) {
if (dto.isArchived !== false) {
await this.access.requirePermission(authUser, Permission.ARCHIVE_READ, [dto.userId]);
}
await this.access.requirePermission(authUser, Permission.LIBRARY_READ, [dto.userId]);
} else {
dto.userId = authUser.id;