Merge pull request #4 from tiquis0290/dev
pulling changes from dev branch
This commit is contained in:
Marek Maslowski
@@ -15,6 +15,7 @@ import {
|
||||
proxyThumbnail,
|
||||
proxyOriginal,
|
||||
isValidAssetId,
|
||||
canAccessUserPhoto,
|
||||
listAlbums,
|
||||
syncAlbumAssets,
|
||||
getAssetInfo,
|
||||
@@ -86,7 +87,12 @@ router.get('/assets/:assetId/info', authenticate, async (req: Request, res: Resp
|
||||
const authReq = req as AuthRequest;
|
||||
const { assetId } = req.params;
|
||||
if (!isValidAssetId(assetId)) return res.status(400).json({ error: 'Invalid asset ID' });
|
||||
const result = await getAssetInfo(authReq.user.id, assetId);
|
||||
const queryUserId = req.query.userId ? Number(req.query.userId) : undefined;
|
||||
const ownerUserId = queryUserId && queryUserId !== authReq.user.id ? queryUserId : undefined;
|
||||
if (ownerUserId && !canAccessUserPhoto(authReq.user.id, ownerUserId, assetId)) {
|
||||
return res.status(403).json({ error: 'Forbidden' });
|
||||
}
|
||||
const result = await getAssetInfo(authReq.user.id, assetId, ownerUserId);
|
||||
if (result.error) return res.status(result.status!).json({ error: result.error });
|
||||
res.json(result.data);
|
||||
});
|
||||
@@ -97,7 +103,12 @@ router.get('/assets/:assetId/thumbnail', authFromQuery, async (req: Request, res
|
||||
const authReq = req as AuthRequest;
|
||||
const { assetId } = req.params;
|
||||
if (!isValidAssetId(assetId)) return res.status(400).send('Invalid asset ID');
|
||||
const result = await proxyThumbnail(authReq.user.id, assetId);
|
||||
const queryUserId = req.query.userId ? Number(req.query.userId) : undefined;
|
||||
const ownerUserId = queryUserId && queryUserId !== authReq.user.id ? queryUserId : undefined;
|
||||
if (ownerUserId && !canAccessUserPhoto(authReq.user.id, ownerUserId, assetId)) {
|
||||
return res.status(403).send('Forbidden');
|
||||
}
|
||||
const result = await proxyThumbnail(authReq.user.id, assetId, ownerUserId);
|
||||
if (result.error) return res.status(result.status!).send(result.error);
|
||||
res.set('Content-Type', result.contentType!);
|
||||
res.set('Cache-Control', 'public, max-age=86400');
|
||||
@@ -108,7 +119,12 @@ router.get('/assets/:assetId/original', authFromQuery, async (req: Request, res:
|
||||
const authReq = req as AuthRequest;
|
||||
const { assetId } = req.params;
|
||||
if (!isValidAssetId(assetId)) return res.status(400).send('Invalid asset ID');
|
||||
const result = await proxyOriginal(authReq.user.id, assetId);
|
||||
const queryUserId = req.query.userId ? Number(req.query.userId) : undefined;
|
||||
const ownerUserId = queryUserId && queryUserId !== authReq.user.id ? queryUserId : undefined;
|
||||
if (ownerUserId && !canAccessUserPhoto(authReq.user.id, ownerUserId, assetId)) {
|
||||
return res.status(403).send('Forbidden');
|
||||
}
|
||||
const result = await proxyOriginal(authReq.user.id, assetId, ownerUserId);
|
||||
if (result.error) return res.status(result.status!).send(result.error);
|
||||
res.set('Content-Type', result.contentType!);
|
||||
res.set('Cache-Control', 'public, max-age=86400');
|
||||
|
||||
@@ -190,11 +190,27 @@ export async function searchPhotos(
|
||||
|
||||
// ── Asset Info / Proxy ─────────────────────────────────────────────────────
|
||||
|
||||
/**
|
||||
* Verify that requestingUserId can access a shared photo belonging to ownerUserId.
|
||||
* The asset must be shared (shared=1) and the requesting user must be a member of
|
||||
* the same trip that contains the photo.
|
||||
*/
|
||||
export function canAccessUserPhoto(requestingUserId: number, ownerUserId: number, assetId: string): boolean {
|
||||
const row = db.prepare(`
|
||||
SELECT tp.trip_id FROM trip_photos tp
|
||||
WHERE tp.immich_asset_id = ? AND tp.user_id = ? AND tp.shared = 1
|
||||
`).get(assetId, ownerUserId) as { trip_id: number } | undefined;
|
||||
if (!row) return false;
|
||||
return !!canAccessTrip(String(row.trip_id), requestingUserId);
|
||||
}
|
||||
|
||||
export async function getAssetInfo(
|
||||
userId: number,
|
||||
assetId: string
|
||||
assetId: string,
|
||||
ownerUserId?: number
|
||||
): Promise<{ data?: any; error?: string; status?: number }> {
|
||||
const creds = getImmichCredentials(userId);
|
||||
const effectiveUserId = ownerUserId ?? userId;
|
||||
const creds = getImmichCredentials(effectiveUserId);
|
||||
if (!creds) return { error: 'Not found', status: 404 };
|
||||
|
||||
try {
|
||||
@@ -232,9 +248,11 @@ export async function getAssetInfo(
|
||||
|
||||
export async function proxyThumbnail(
|
||||
userId: number,
|
||||
assetId: string
|
||||
assetId: string,
|
||||
ownerUserId?: number
|
||||
): Promise<{ buffer?: Buffer; contentType?: string; error?: string; status?: number }> {
|
||||
const creds = getImmichCredentials(userId);
|
||||
const effectiveUserId = ownerUserId ?? userId;
|
||||
const creds = getImmichCredentials(effectiveUserId);
|
||||
if (!creds) return { error: 'Not found', status: 404 };
|
||||
|
||||
try {
|
||||
@@ -253,9 +271,11 @@ export async function proxyThumbnail(
|
||||
|
||||
export async function proxyOriginal(
|
||||
userId: number,
|
||||
assetId: string
|
||||
assetId: string,
|
||||
ownerUserId?: number
|
||||
): Promise<{ buffer?: Buffer; contentType?: string; error?: string; status?: number }> {
|
||||
const creds = getImmichCredentials(userId);
|
||||
const effectiveUserId = ownerUserId ?? userId;
|
||||
const creds = getImmichCredentials(effectiveUserId);
|
||||
if (!creds) return { error: 'Not found', status: 404 };
|
||||
|
||||
try {
|
||||
|
||||
Reference in New Issue
Block a user