fix(server): avoid leaking people data on shared links (#6779)

* fix: avoid leaking people data on shared links * test: add e2e test
2024-11-15 09:59:00 -07:00 · 2024-01-30 22:34:00 +01:00 · 2024-01-30 22:34:00 +01:00 · 1bfef200a5
commit 1bfef200a5
parent e90d3a169c
2 changed files with 42 additions and 1 deletions
--- a/server/e2e/api/specs/asset.e2e-spec.ts
+++ b/server/e2e/api/specs/asset.e2e-spec.ts
@ -559,6 +559,47 @@ describe(`${AssetController.name} (e2e)`, () => {
      expect(status).toBe(200);
      expect(body).toMatchObject({ id: asset1.id });
    });
+
+    it('should not send people data for shared links for un-authenticated users', async () => {
+      const personRepository = app.get<IPersonRepository>(IPersonRepository);
+      const person = await personRepository.create({ ownerId: asset1.ownerId, name: 'Test Person' });
+
+      await personRepository.createFaces([
+        {
+          assetId: asset1.id,
+          personId: person.id,
+          embedding: Array.from({ length: 512 }, Math.random),
+        },
+      ]);
+
+      const { status, body } = await request(server)
+        .put(`/asset/${asset1.id}`)
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({ isFavorite: true });
+      expect(status).toEqual(200);
+      expect(body).toMatchObject({
+        id: asset1.id,
+        isFavorite: true,
+        people: [
+          {
+            birthDate: null,
+            id: expect.any(String),
+            isHidden: false,
+            name: 'Test Person',
+            thumbnailPath: '',
+          },
+        ],
+      });
+
+      const sharedLink = await api.sharedLinkApi.create(server, user1.accessToken, {
+        type: SharedLinkType.INDIVIDUAL,
+        assetIds: [asset1.id],
+      });
+
+      const data = await request(server).get(`/asset/assetById/${asset1.id}?key=${sharedLink.key}`);
+      expect(data.status).toBe(200);
+      expect(data.body).toMatchObject({ people: [] });
+    });
  });

  describe('GET /asset/:id', () => {
--- a/server/src/domain/asset/asset.service.ts
+++ b/server/src/domain/asset/asset.service.ts
@ -321,7 +321,7 @@ export class AssetService {
      delete data.owner;
    }

-    if (data.ownerId !== auth.user.id) {
+    if (data.ownerId !== auth.user.id || auth.sharedLink) {
      data.people = [];
    }