fix(server): scoped permissions for more endpoints (#25452)

2026-02-04 08:49:01 +03:00 · 2026-01-23 15:03:57 +01:00
parent 84679fb2b2
commit 20dca39143
7 changed files with 16 additions and 5 deletions
--- a/server/src/controllers/asset-media.controller.ts
+++ b/server/src/controllers/asset-media.controller.ts
@@ -202,7 +202,7 @@ export class AssetMediaController {
  }

  @Post('exist')
-  @Authenticated()
+  @Authenticated({ permission: Permission.AssetUpload })
  @Endpoint({
    summary: 'Check existing assets',
    description: 'Checks if multiple assets exist on the server and returns all existing - used by background backup',
--- a/server/src/controllers/asset.controller.ts
+++ b/server/src/controllers/asset.controller.ts
@@ -66,7 +66,7 @@ export class AssetController {
  }

  @Post('jobs')
-  @Authenticated()
+  @Authenticated({ permission: Permission.JobCreate })
  @HttpCode(HttpStatus.NO_CONTENT)
  @Endpoint({
    summary: 'Run an asset job',
--- a/server/src/controllers/view.controller.ts
+++ b/server/src/controllers/view.controller.ts
@@ -3,7 +3,7 @@ import { ApiTags } from '@nestjs/swagger';
 import { Endpoint, HistoryBuilder } from 'src/decorators';
 import { AssetResponseDto } from 'src/dtos/asset-response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { ApiTag } from 'src/enum';
+import { ApiTag, Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { ViewService } from 'src/services/view.service';

@@ -13,7 +13,7 @@ export class ViewController {
  constructor(private service: ViewService) {}

  @Get('folder/unique-paths')
-  @Authenticated()
+  @Authenticated({ permission: Permission.FolderRead })
  @Endpoint({
    summary: 'Retrieve unique paths',
    description: 'Retrieve a list of unique folder paths from asset original paths.',
@@ -24,7 +24,7 @@ export class ViewController {
  }

  @Get('folder')
-  @Authenticated()
+  @Authenticated({ permission: Permission.FolderRead })
  @Endpoint({
    summary: 'Retrieve assets by original path',
    description: 'Retrieve assets that are children of a specific folder.',
--- a/server/src/enum.ts
+++ b/server/src/enum.ts
@@ -146,6 +146,8 @@ export enum Permission {
  FaceUpdate = 'face.update',
  FaceDelete = 'face.delete',

+  FolderRead = 'folder.read',
+
  JobCreate = 'job.create',
  JobRead = 'job.read',