cotugno/immich
2
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2024-11-15 09:59:00 -07:00
Code Issues Packages Projects Releases Wiki Activity

fix(server): avoid leaking people data on shared links (#6779)

Browse Source 
* fix: avoid leaking people data on shared links

* test: add e2e test
This commit is contained in:
martin 2024-01-30 22:34:00 +01:00 committed by GitHub
parent e90d3a169c
commit 1bfef200a5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 42 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
server/e2e/api/specs/asset.e2e-spec.ts
View File

@ -559,6 +559,47 @@ describe(`${AssetController.name} (e2e)`, () => {
expect(status).toBe(200); expect(status).toBe(200);
expect(body).toMatchObject({ id: asset1.id }); expect(body).toMatchObject({ id: asset1.id });
}); });
it('should not send people data for shared links for un-authenticated users', async () => {
const personRepository = app.get<IPersonRepository>(IPersonRepository);
const person = await personRepository.create({ ownerId: asset1.ownerId, name: 'Test Person' });
await personRepository.createFaces([
{
assetId: asset1.id,
personId: person.id,
embedding: Array.from({ length: 512 }, Math.random),
},
]);
const { status, body } = await request(server)
.put(`/asset/${asset1.id}`)
.set('Authorization', `Bearer ${user1.accessToken}`)
.send({ isFavorite: true });
expect(status).toEqual(200);
expect(body).toMatchObject({
id: asset1.id,
isFavorite: true,
people: [
{
birthDate: null,
id: expect.any(String),
isHidden: false,
name: 'Test Person',
thumbnailPath: '',
},
],
});
const sharedLink = await api.sharedLinkApi.create(server, user1.accessToken, {
type: SharedLinkType.INDIVIDUAL,
assetIds: [asset1.id],
});
const data = await request(server).get(`/asset/assetById/${asset1.id}?key=${sharedLink.key}`);
expect(data.status).toBe(200);
expect(data.body).toMatchObject({ people: [] });
});
}); });
describe('GET /asset/:id', () => { describe('GET /asset/:id', () => {

2
server/src/domain/asset/asset.service.ts
View File

@ -321,7 +321,7 @@ export class AssetService {
delete data.owner; delete data.owner;
} }
if (data.ownerId !== auth.user.id) { if (data.ownerId !== auth.user.id || auth.sharedLink) {
data.people = []; data.people = [];
} }