fix(server): scoped permissions for more endpoints

2026-01-22 17:38:58 -08:00 · 2026-01-22 16:38:22 +01:00
parent 7cbfc12e0d
commit 5404ebe034
7 changed files with 16 additions and 5 deletions
--- a/mobile/openapi/lib/model/permission.dart
+++ b/mobile/openapi/lib/model/permission.dart
@@ -168,6 +168,7 @@ class Permission {
  static const queueJobPeriodRead = Permission._(r'queueJob.read');
  static const queueJobPeriodUpdate = Permission._(r'queueJob.update');
  static const queueJobPeriodDelete = Permission._(r'queueJob.delete');
+  static const viewPeriodFolder = Permission._(r'view.folder');
  static const workflowPeriodCreate = Permission._(r'workflow.create');
  static const workflowPeriodRead = Permission._(r'workflow.read');
  static const workflowPeriodUpdate = Permission._(r'workflow.update');
@@ -326,6 +327,7 @@ class Permission {
    queueJobPeriodRead,
    queueJobPeriodUpdate,
    queueJobPeriodDelete,
+    viewPeriodFolder,
    workflowPeriodCreate,
    workflowPeriodRead,
    workflowPeriodUpdate,
@@ -519,6 +521,7 @@ class PermissionTypeTransformer {
        case r'queueJob.read': return Permission.queueJobPeriodRead;
        case r'queueJob.update': return Permission.queueJobPeriodUpdate;
        case r'queueJob.delete': return Permission.queueJobPeriodDelete;
+        case r'view.folder': return Permission.viewPeriodFolder;
        case r'workflow.create': return Permission.workflowPeriodCreate;
        case r'workflow.read': return Permission.workflowPeriodRead;
        case r'workflow.update': return Permission.workflowPeriodUpdate;
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@@ -3173,6 +3173,7 @@
            "state": "Stable"
          }
        ],
+        "x-immich-permission": "asset.upload",
        "x-immich-state": "Stable"
      }
    },
@@ -3225,6 +3226,7 @@
            "state": "Stable"
          }
        ],
+        "x-immich-permission": "job.create",
        "x-immich-state": "Stable"
      }
    },
@@ -14618,6 +14620,7 @@
            "state": "Stable"
          }
        ],
+        "x-immich-permission": "view.folder",
        "x-immich-state": "Stable"
      }
    },
@@ -14670,6 +14673,7 @@
            "state": "Stable"
          }
        ],
+        "x-immich-permission": "view.folder",
        "x-immich-state": "Stable"
      }
    },
@@ -19054,6 +19058,7 @@
          "queueJob.read",
          "queueJob.update",
          "queueJob.delete",
+          "view.folder",
          "workflow.create",
          "workflow.read",
          "workflow.update",
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@@ -5620,6 +5620,7 @@ export enum Permission {
    QueueJobRead = "queueJob.read",
    QueueJobUpdate = "queueJob.update",
    QueueJobDelete = "queueJob.delete",
+    ViewFolder = "view.folder",
    WorkflowCreate = "workflow.create",
    WorkflowRead = "workflow.read",
    WorkflowUpdate = "workflow.update",
--- a/server/src/controllers/asset-media.controller.ts
+++ b/server/src/controllers/asset-media.controller.ts
@@ -202,7 +202,7 @@ export class AssetMediaController {
  }

  @Post('exist')
-  @Authenticated()
+  @Authenticated({ permission: Permission.AssetUpload })
  @Endpoint({
    summary: 'Check existing assets',
    description: 'Checks if multiple assets exist on the server and returns all existing - used by background backup',
--- a/server/src/controllers/asset.controller.ts
+++ b/server/src/controllers/asset.controller.ts
@@ -66,7 +66,7 @@ export class AssetController {
  }

  @Post('jobs')
-  @Authenticated()
+  @Authenticated({ permission: Permission.JobCreate })
  @HttpCode(HttpStatus.NO_CONTENT)
  @Endpoint({
    summary: 'Run an asset job',
--- a/server/src/controllers/view.controller.ts
+++ b/server/src/controllers/view.controller.ts
@@ -3,7 +3,7 @@ import { ApiTags } from '@nestjs/swagger';
 import { Endpoint, HistoryBuilder } from 'src/decorators';
 import { AssetResponseDto } from 'src/dtos/asset-response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { ApiTag } from 'src/enum';
+import { ApiTag, Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { ViewService } from 'src/services/view.service';

@@ -13,7 +13,7 @@ export class ViewController {
  constructor(private service: ViewService) {}

  @Get('folder/unique-paths')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ViewFolder })
  @Endpoint({
    summary: 'Retrieve unique paths',
    description: 'Retrieve a list of unique folder paths from asset original paths.',
@@ -24,7 +24,7 @@ export class ViewController {
  }

  @Get('folder')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ViewFolder })
  @Endpoint({
    summary: 'Retrieve assets by original path',
    description: 'Retrieve assets that are children of a specific folder.',
--- a/server/src/enum.ts
+++ b/server/src/enum.ts
@@ -270,6 +270,8 @@ export enum Permission {
  QueueJobUpdate = 'queueJob.update',
  QueueJobDelete = 'queueJob.delete',

+  ViewFolder = 'view.folder',
+
  WorkflowCreate = 'workflow.create',
  WorkflowRead = 'workflow.read',
  WorkflowUpdate = 'workflow.update',