fix asset upload permissions for shared links (#4325)

This commit is contained in:
Daniel Dietzler 2023-10-03 18:36:51 +02:00 committed by GitHub
parent e2f1e38472
commit e5f704cf3b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 6 deletions

View file

@ -10,6 +10,7 @@ export enum Permission {
ASSET_SHARE = 'asset.share', ASSET_SHARE = 'asset.share',
ASSET_VIEW = 'asset.view', ASSET_VIEW = 'asset.view',
ASSET_DOWNLOAD = 'asset.download', ASSET_DOWNLOAD = 'asset.download',
ASSET_UPLOAD = 'asset.upload',
// ALBUM_CREATE = 'album.create', // ALBUM_CREATE = 'album.create',
ALBUM_READ = 'album.read', ALBUM_READ = 'album.read',
@ -26,7 +27,6 @@ export enum Permission {
LIBRARY_CREATE = 'library.create', LIBRARY_CREATE = 'library.create',
LIBRARY_READ = 'library.read', LIBRARY_READ = 'library.read',
LIBRARY_WRITE = 'library.write',
LIBRARY_UPDATE = 'library.update', LIBRARY_UPDATE = 'library.update',
LIBRARY_DELETE = 'library.delete', LIBRARY_DELETE = 'library.delete',
LIBRARY_DOWNLOAD = 'library.download', LIBRARY_DOWNLOAD = 'library.download',
@ -96,6 +96,9 @@ export class AccessCore {
case Permission.ASSET_DOWNLOAD: case Permission.ASSET_DOWNLOAD:
return !!authUser.isAllowDownload && (await this.repository.asset.hasSharedLinkAccess(sharedLinkId, id)); return !!authUser.isAllowDownload && (await this.repository.asset.hasSharedLinkAccess(sharedLinkId, id));
case Permission.ASSET_UPLOAD:
return authUser.isAllowUpload;
case Permission.ASSET_SHARE: case Permission.ASSET_SHARE:
// TODO: fix this to not use authUser.id for shared link access control // TODO: fix this to not use authUser.id for shared link access control
return this.repository.asset.hasOwnerAccess(authUser.id, id); return this.repository.asset.hasOwnerAccess(authUser.id, id);
@ -166,6 +169,9 @@ export class AccessCore {
(await this.repository.album.hasSharedAlbumAccess(authUser.id, id)) (await this.repository.album.hasSharedAlbumAccess(authUser.id, id))
); );
case Permission.ASSET_UPLOAD:
return this.repository.library.hasOwnerAccess(authUser.id, id);
case Permission.ALBUM_REMOVE_ASSET: case Permission.ALBUM_REMOVE_ASSET:
return this.repository.album.hasOwnerAccess(authUser.id, id); return this.repository.album.hasOwnerAccess(authUser.id, id);
@ -184,9 +190,6 @@ export class AccessCore {
(await this.repository.library.hasPartnerAccess(authUser.id, id)) (await this.repository.library.hasPartnerAccess(authUser.id, id))
); );
case Permission.LIBRARY_WRITE:
return this.repository.library.hasOwnerAccess(authUser.id, id);
case Permission.LIBRARY_UPDATE: case Permission.LIBRARY_UPDATE:
return this.repository.library.hasOwnerAccess(authUser.id, id); return this.repository.library.hasOwnerAccess(authUser.id, id);

View file

@ -91,7 +91,7 @@ export class AssetService {
try { try {
const libraryId = await this.getLibraryId(authUser, dto.libraryId); const libraryId = await this.getLibraryId(authUser, dto.libraryId);
await this.access.requirePermission(authUser, Permission.LIBRARY_WRITE, libraryId); await this.access.requirePermission(authUser, Permission.ASSET_UPLOAD, libraryId);
if (livePhotoFile) { if (livePhotoFile) {
const livePhotoDto = { ...dto, assetType: AssetType.VIDEO, isVisible: false, libraryId }; const livePhotoDto = { ...dto, assetType: AssetType.VIDEO, isVisible: false, libraryId };
livePhotoAsset = await this.assetCore.create(authUser, livePhotoDto, livePhotoFile); livePhotoAsset = await this.assetCore.create(authUser, livePhotoDto, livePhotoFile);
@ -163,7 +163,7 @@ export class AssetService {
try { try {
const libraryId = await this.getLibraryId(authUser, dto.libraryId); const libraryId = await this.getLibraryId(authUser, dto.libraryId);
await this.access.requirePermission(authUser, Permission.LIBRARY_WRITE, libraryId); await this.access.requirePermission(authUser, Permission.ASSET_UPLOAD, libraryId);
const asset = await this.assetCore.create(authUser, { ...dto, libraryId }, assetFile, undefined, dto.sidecarPath); const asset = await this.assetCore.create(authUser, { ...dto, libraryId }, assetFile, undefined, dto.sidecarPath);
return { id: asset.id, duplicate: false }; return { id: asset.id, duplicate: false };
} catch (error: QueryFailedError | Error | any) { } catch (error: QueryFailedError | Error | any) {