fix(web,server): disable partner's archive access (#3695)

This commit is contained in:
Sergey Kondrikov 2023-08-15 19:02:38 +03:00 committed by GitHub
parent efc7fdb669
commit 74da15e20d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 1 deletions

View file

@ -19,6 +19,8 @@ export enum Permission {
ALBUM_SHARE = 'album.share', ALBUM_SHARE = 'album.share',
ALBUM_DOWNLOAD = 'album.download', ALBUM_DOWNLOAD = 'album.download',
ARCHIVE_READ = 'archive.read',
LIBRARY_READ = 'library.read', LIBRARY_READ = 'library.read',
LIBRARY_DOWNLOAD = 'library.download', LIBRARY_DOWNLOAD = 'library.download',
} }
@ -156,6 +158,9 @@ export class AccessCore {
case Permission.ALBUM_REMOVE_ASSET: case Permission.ALBUM_REMOVE_ASSET:
return this.repository.album.hasOwnerAccess(authUser.id, id); return this.repository.album.hasOwnerAccess(authUser.id, id);
case Permission.ARCHIVE_READ:
return authUser.id === id;
case Permission.LIBRARY_READ: case Permission.LIBRARY_READ:
return authUser.id === id || (await this.repository.library.hasPartnerAccess(authUser.id, id)); return authUser.id === id || (await this.repository.library.hasPartnerAccess(authUser.id, id));

View file

@ -148,6 +148,9 @@ export class AssetService {
if (dto.albumId) { if (dto.albumId) {
await this.access.requirePermission(authUser, Permission.ALBUM_READ, [dto.albumId]); await this.access.requirePermission(authUser, Permission.ALBUM_READ, [dto.albumId]);
} else if (dto.userId) { } else if (dto.userId) {
if (dto.isArchived !== false) {
await this.access.requirePermission(authUser, Permission.ARCHIVE_READ, [dto.userId]);
}
await this.access.requirePermission(authUser, Permission.LIBRARY_READ, [dto.userId]); await this.access.requirePermission(authUser, Permission.LIBRARY_READ, [dto.userId]);
} else { } else {
dto.userId = authUser.id; dto.userId = authUser.id;

View file

@ -18,7 +18,7 @@
export let data: PageData; export let data: PageData;
const assetStore = new AssetStore({ size: TimeBucketSize.Month, userId: data.partner.id }); const assetStore = new AssetStore({ size: TimeBucketSize.Month, userId: data.partner.id, isArchived: false });
const assetInteractionStore = createAssetInteractionStore(); const assetInteractionStore = createAssetInteractionStore();
const { isMultiSelectState, selectedAssets } = assetInteractionStore; const { isMultiSelectState, selectedAssets } = assetInteractionStore;