github-mirrors/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2026-03-22 20:59:50 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(server): restrict individual shared link asset removal to owners (#26868)

Browse Source 
* fix(server): restrict individual shared link asset removal to owners

* make open-api
This commit is contained in:
Michel Heusschen
2026-03-12 19:48:00 +01:00
committed by GitHub
parent 6bb8f4fcc4
commit 3fd24e2083
8 changed files with 55 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
server/src/controllers/shared-link.controller.spec.ts
View File

@@ -1,7 +1,8 @@
import { SharedLinkController } from 'src/controllers/shared-link.controller';
import { SharedLinkType } from 'src/enum';
import { Permission, SharedLinkType } from 'src/enum';
import { SharedLinkService } from 'src/services/shared-link.service';
import request from 'supertest';
import { factory } from 'test/small.factory';
import { ControllerContext, controllerSetup, mockBaseService } from 'test/utils';
describe(SharedLinkController.name, () => {
@@ -31,4 +32,16 @@ describe(SharedLinkController.name, () => {
expect(service.create).toHaveBeenCalledWith(undefined, expect.objectContaining({ expiresAt: null }));
});
});
describe('DELETE /shared-links/:id/assets', () => {
it('should require shared link update permission', async () => {
await request(ctx.getHttpServer()).delete(`/shared-links/${factory.uuid()}/assets`).send({ assetIds: [] });
expect(ctx.authenticate).toHaveBeenCalledWith(
expect.objectContaining({
metadata: expect.objectContaining({ permission: Permission.SharedLinkUpdate, sharedLinkRoute: false }),
}),
);
});
});
});