From 2aac88f2e1b1f9484b08dcad0686edd8aff144b7 Mon Sep 17 00:00:00 2001
From: Mees Frensel <meesfrensel@gmail.com>
Date: Wed, 21 Jan 2026 17:34:09 +0100
Subject: [PATCH] fix: add scoped API permissions to map endpoints

---
 mobile/openapi/lib/model/permission.dart    | 6 ++++++
 open-api/immich-openapi-specs.json          | 4 ++++
 open-api/typescript-sdk/src/fetch-client.ts | 2 ++
 server/src/controllers/map.controller.ts    | 6 +++---
 server/src/enum.ts                          | 3 +++
 5 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/mobile/openapi/lib/model/permission.dart b/mobile/openapi/lib/model/permission.dart
index d5b9bf5086..08bde68afc 100644
--- a/mobile/openapi/lib/model/permission.dart
+++ b/mobile/openapi/lib/model/permission.dart
@@ -82,6 +82,8 @@ class Permission {
   static const timelinePeriodRead = Permission._(r'timeline.read');
   static const timelinePeriodDownload = Permission._(r'timeline.download');
   static const maintenance = Permission._(r'maintenance');
+  static const mapPeriodGeocode = Permission._(r'map.geocode');
+  static const mapPeriodRead = Permission._(r'map.read');
   static const memoryPeriodCreate = Permission._(r'memory.create');
   static const memoryPeriodRead = Permission._(r'memory.read');
   static const memoryPeriodUpdate = Permission._(r'memory.update');
@@ -238,6 +240,8 @@ class Permission {
     timelinePeriodRead,
     timelinePeriodDownload,
     maintenance,
+    mapPeriodGeocode,
+    mapPeriodRead,
     memoryPeriodCreate,
     memoryPeriodRead,
     memoryPeriodUpdate,
@@ -429,6 +433,8 @@ class PermissionTypeTransformer {
         case r'timeline.read': return Permission.timelinePeriodRead;
         case r'timeline.download': return Permission.timelinePeriodDownload;
         case r'maintenance': return Permission.maintenance;
+        case r'map.geocode': return Permission.mapPeriodGeocode;
+        case r'map.read': return Permission.mapPeriodRead;
         case r'memory.create': return Permission.memoryPeriodCreate;
         case r'memory.read': return Permission.memoryPeriodRead;
         case r'memory.update': return Permission.memoryPeriodUpdate;
diff --git a/open-api/immich-openapi-specs.json b/open-api/immich-openapi-specs.json
index 7f09f7b336..8ff388f243 100644
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@@ -6305,6 +6305,7 @@
             "state": "Stable"
           }
         ],
+        "x-immich-permission": "map.read",
         "x-immich-state": "Stable"
       }
     },
@@ -6376,6 +6377,7 @@
             "state": "Stable"
           }
         ],
+        "x-immich-permission": "map.geocode",
         "x-immich-state": "Stable"
       }
     },
@@ -18966,6 +18968,8 @@
           "timeline.read",
           "timeline.download",
           "maintenance",
+          "map.geocode",
+          "map.read",
           "memory.create",
           "memory.read",
           "memory.update",
diff --git a/open-api/typescript-sdk/src/fetch-client.ts b/open-api/typescript-sdk/src/fetch-client.ts
index 97745cc5a1..912be6edf8 100644
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@@ -5534,6 +5534,8 @@ export enum Permission {
     TimelineRead = "timeline.read",
     TimelineDownload = "timeline.download",
     Maintenance = "maintenance",
+    MapGeocode = "map.geocode",
+    MapRead = "map.read",
     MemoryCreate = "memory.create",
     MemoryRead = "memory.read",
     MemoryUpdate = "memory.update",
diff --git a/server/src/controllers/map.controller.ts b/server/src/controllers/map.controller.ts
index dbd1082561..c2560492c2 100644
--- a/server/src/controllers/map.controller.ts
+++ b/server/src/controllers/map.controller.ts
@@ -8,7 +8,7 @@ import {
   MapReverseGeocodeDto,
   MapReverseGeocodeResponseDto,
 } from 'src/dtos/map.dto';
-import { ApiTag } from 'src/enum';
+import { ApiTag, Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { MapService } from 'src/services/map.service';
 
@@ -18,7 +18,7 @@ export class MapController {
   constructor(private service: MapService) {}
 
   @Get('markers')
-  @Authenticated()
+  @Authenticated({ permission: Permission.MapRead })
   @Endpoint({
     summary: 'Retrieve map markers',
     description: 'Retrieve a list of latitude and longitude coordinates for every asset with location data.',
@@ -28,8 +28,8 @@ export class MapController {
     return this.service.getMapMarkers(auth, options);
   }
 
-  @Authenticated()
   @Get('reverse-geocode')
+  @Authenticated({ permission: Permission.MapGeocode })
   @HttpCode(HttpStatus.OK)
   @Endpoint({
     summary: 'Reverse geocode coordinates',
diff --git a/server/src/enum.ts b/server/src/enum.ts
index 8a7e1dc789..bf264268bd 100644
--- a/server/src/enum.ts
+++ b/server/src/enum.ts
@@ -160,6 +160,9 @@ export enum Permission {
 
   Maintenance = 'maintenance',
 
+  MapGeocode = 'map.geocode',
+  MapRead = 'map.read',
+
   MemoryCreate = 'memory.create',
   MemoryRead = 'memory.read',
   MemoryUpdate = 'memory.update',