github-mirrors/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2026-03-26 20:00:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(server): album permissions for editors (#27214)

Browse Source 
* fix(server): album permissions for editors

* test: adjust e2e test

* test: fix test
This commit is contained in:
Yaros
2026-03-24 03:39:30 +01:00
committed by GitHub
parent ff9ae24219
commit 94b15b8678
2 changed files with 22 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
e2e/src/specs/server/api/album.e2e-spec.ts
View File

@@ -524,14 +524,19 @@ describe('/albums', () => {
expect(body).toEqual(errorDto.badRequest('Not found or no album.update access')); expect(body).toEqual(errorDto.badRequest('Not found or no album.update access'));
}); });
it('should not be able to update as an editor', async () => { it('should be able to update as an editor', async () => {
const { status, body } = await request(app) const { status, body } = await request(app)
.patch(`/albums/${user1Albums[0].id}`) .patch(`/albums/${user1Albums[0].id}`)
.set('Authorization', `Bearer ${user2.accessToken}`) .set('Authorization', `Bearer ${user2.accessToken}`)
.send({ albumName: 'New album name' }); .send({ albumName: 'New album name' });
expect(status).toBe(400); expect(status).toBe(200);
expect(body).toEqual(errorDto.badRequest('Not found or no album.update access')); expect(body).toEqual(
expect.objectContaining({
id: user1Albums[0].id,
albumName: 'New album name',
}),
);
}); });
}); });

16
server/src/utils/access.ts
View File

@@ -190,7 +190,13 @@ const checkOtherAccess = async (access: AccessRepository, request: OtherAccessRe
} }
case Permission.AlbumUpdate: { case Permission.AlbumUpdate: {
return await access.album.checkOwnerAccess(auth.user.id, ids); const isOwner = await access.album.checkOwnerAccess(auth.user.id, ids);
const isShared = await access.album.checkSharedAlbumAccess(
auth.user.id,
setDifference(ids, isOwner),
AlbumUserRole.Editor,
);
return setUnion(isOwner, isShared);
} }
case Permission.AlbumDelete: { case Permission.AlbumDelete: {
@@ -198,7 +204,13 @@ const checkOtherAccess = async (access: AccessRepository, request: OtherAccessRe
} }
case Permission.AlbumShare: { case Permission.AlbumShare: {
return await access.album.checkOwnerAccess(auth.user.id, ids); const isOwner = await access.album.checkOwnerAccess(auth.user.id, ids);
const isShared = await access.album.checkSharedAlbumAccess(
auth.user.id,
setDifference(ids, isOwner),
AlbumUserRole.Editor,
);
return setUnion(isOwner, isShared);
} }
case Permission.AlbumDownload: { case Permission.AlbumDownload: {