github/TREK
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(immich): check all trips when verifying shared photo access

Browse Source 
canAccessUserPhoto was using .get() which only returned the first matching
trip, causing access to be incorrectly denied when a photo was shared across
multiple trips and the requester was a member of a non-first trip.
This commit is contained in:
jubnl
2026-04-04 00:14:11 +02:00
parent 6400c2d27d
commit ae0d48ac83
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
server/src/services/immichService.ts
View File

@@ -236,12 +236,12 @@ export function togglePhotoSharing(tripId: string, userId: number, assetId: stri
* the same trip that contains the photo.
*/
export function canAccessUserPhoto(requestingUserId: number, ownerUserId: number, assetId: string): boolean {
const row = db.prepare(`
const rows = db.prepare(`
SELECT tp.trip_id FROM trip_photos tp
WHERE tp.immich_asset_id = ? AND tp.user_id = ? AND tp.shared = 1
`).get(assetId, ownerUserId) as { trip_id: number } | undefined;
if (!row) return false;
return !!canAccessTrip(String(row.trip_id), requestingUserId);
`).all(assetId, ownerUserId) as { trip_id: number }[];
if (rows.length === 0) return false;
return rows.some(row => !!canAccessTrip(String(row.trip_id), requestingUserId));
}
export async function getAssetInfo(