fix: add scoped API permissions to map endpoints

2026-01-21 17:13:17 -08:00 · 2026-01-21 17:34:09 +01:00
5 changed files with 18 additions and 3 deletions
--- a/mobile/openapi/lib/model/permission.dart
+++ b/mobile/openapi/lib/model/permission.dart
@@ -82,6 +82,8 @@ class Permission {
  static const timelinePeriodRead = Permission._(r'timeline.read');
  static const timelinePeriodDownload = Permission._(r'timeline.download');
  static const maintenance = Permission._(r'maintenance');
+  static const mapPeriodGeocode = Permission._(r'map.geocode');
+  static const mapPeriodRead = Permission._(r'map.read');
  static const memoryPeriodCreate = Permission._(r'memory.create');
  static const memoryPeriodRead = Permission._(r'memory.read');
  static const memoryPeriodUpdate = Permission._(r'memory.update');
@@ -238,6 +240,8 @@ class Permission {
    timelinePeriodRead,
    timelinePeriodDownload,
    maintenance,
+    mapPeriodGeocode,
+    mapPeriodRead,
    memoryPeriodCreate,
    memoryPeriodRead,
    memoryPeriodUpdate,
@@ -429,6 +433,8 @@ class PermissionTypeTransformer {
        case r'timeline.read': return Permission.timelinePeriodRead;
        case r'timeline.download': return Permission.timelinePeriodDownload;
        case r'maintenance': return Permission.maintenance;
+        case r'map.geocode': return Permission.mapPeriodGeocode;
+        case r'map.read': return Permission.mapPeriodRead;
        case r'memory.create': return Permission.memoryPeriodCreate;
        case r'memory.read': return Permission.memoryPeriodRead;
        case r'memory.update': return Permission.memoryPeriodUpdate;
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@@ -6305,6 +6305,7 @@
            "state": "Stable"
          }
        ],
+        "x-immich-permission": "map.read",
        "x-immich-state": "Stable"
      }
    },
@@ -6376,6 +6377,7 @@
            "state": "Stable"
          }
        ],
+        "x-immich-permission": "map.geocode",
        "x-immich-state": "Stable"
      }
    },
@@ -18966,6 +18968,8 @@
          "timeline.read",
          "timeline.download",
          "maintenance",
+          "map.geocode",
+          "map.read",
          "memory.create",
          "memory.read",
          "memory.update",
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@@ -5534,6 +5534,8 @@ export enum Permission {
    TimelineRead = "timeline.read",
    TimelineDownload = "timeline.download",
    Maintenance = "maintenance",
+    MapGeocode = "map.geocode",
+    MapRead = "map.read",
    MemoryCreate = "memory.create",
    MemoryRead = "memory.read",
    MemoryUpdate = "memory.update",
--- a/server/src/controllers/map.controller.ts
+++ b/server/src/controllers/map.controller.ts
@@ -8,7 +8,7 @@ import {
  MapReverseGeocodeDto,
  MapReverseGeocodeResponseDto,
 } from 'src/dtos/map.dto';
-import { ApiTag } from 'src/enum';
+import { ApiTag, Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { MapService } from 'src/services/map.service';

@@ -18,7 +18,7 @@ export class MapController {
  constructor(private service: MapService) {}

  @Get('markers')
-  @Authenticated()
+  @Authenticated({ permission: Permission.MapRead })
  @Endpoint({
    summary: 'Retrieve map markers',
    description: 'Retrieve a list of latitude and longitude coordinates for every asset with location data.',
@@ -28,8 +28,8 @@ export class MapController {
    return this.service.getMapMarkers(auth, options);
  }

-  @Authenticated()
  @Get('reverse-geocode')
+  @Authenticated({ permission: Permission.MapGeocode })
  @HttpCode(HttpStatus.OK)
  @Endpoint({
    summary: 'Reverse geocode coordinates',
--- a/server/src/enum.ts
+++ b/server/src/enum.ts
@@ -160,6 +160,9 @@ export enum Permission {

  Maintenance = 'maintenance',

+  MapGeocode = 'map.geocode',
+  MapRead = 'map.read',
+
  MemoryCreate = 'memory.create',
  MemoryRead = 'memory.read',
  MemoryUpdate = 'memory.update',