feat: honor album access permissions in search endpoints (#29352 )

fix!: search endpoints visibility can be omitted (#29385 )
2026-06-29 17:54:35 -07:00 · 2026-06-29 22:27:22 +02:00 · 2026-06-29 22:00:02 +02:00
7 changed files with 131 additions and 45 deletions
@@ -7,18 +7,17 @@ from
  "asset"
  inner join "asset_exif" on "asset"."id" = "asset_exif"."assetId"
 where
-  "asset"."visibility" = $1
-  and "asset"."fileCreatedAt" >= $2
-  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  "asset"."fileCreatedAt" >= $1
+  and "asset_exif"."lensModel" = $2
+  and "asset"."ownerId" = any ($3::uuid[])
+  and "asset"."isFavorite" = $4
  and "asset"."deletedAt" is null
 order by
  "asset"."fileCreatedAt" desc
 limit
-  $6
+  $5
 offset
-  $7
+  $6

 -- SearchRepository.searchStatistics
 select
@@ -27,11 +26,10 @@ from
  "asset"
  inner join "asset_exif" on "asset"."id" = "asset_exif"."assetId"
 where
-  "asset"."visibility" = $1
-  and "asset"."fileCreatedAt" >= $2
-  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  "asset"."fileCreatedAt" >= $1
+  and "asset_exif"."lensModel" = $2
+  and "asset"."ownerId" = any ($3::uuid[])
+  and "asset"."isFavorite" = $4
  and "asset"."deletedAt" is null

 -- SearchRepository.searchRandom
@@ -41,16 +39,15 @@ from
  "asset"
  inner join "asset_exif" on "asset"."id" = "asset_exif"."assetId"
 where
-  "asset"."visibility" = $1
-  and "asset"."fileCreatedAt" >= $2
-  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  "asset"."fileCreatedAt" >= $1
+  and "asset_exif"."lensModel" = $2
+  and "asset"."ownerId" = any ($3::uuid[])
+  and "asset"."isFavorite" = $4
  and "asset"."deletedAt" is null
 order by
  random()
 limit
-  $6
+  $5

 -- SearchRepository.searchLargeAssets
 select
@@ -60,17 +57,16 @@ from
  "asset"
  inner join "asset_exif" on "asset"."id" = "asset_exif"."assetId"
 where
-  "asset"."visibility" = $1
-  and "asset"."fileCreatedAt" >= $2
-  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  "asset"."fileCreatedAt" >= $1
+  and "asset_exif"."lensModel" = $2
+  and "asset"."ownerId" = any ($3::uuid[])
+  and "asset"."isFavorite" = $4
  and "asset"."deletedAt" is null
-  and "asset_exif"."fileSizeInByte" > $6
+  and "asset_exif"."fileSizeInByte" > $5
 order by
  "asset_exif"."fileSizeInByte" desc
 limit
-  $7
+  $6

 -- SearchRepository.searchSmart
 begin
@@ -83,18 +79,17 @@ from
  inner join "asset_exif" on "asset"."id" = "asset_exif"."assetId"
  inner join "smart_search" on "asset"."id" = "smart_search"."assetId"
 where
-  "asset"."visibility" = $1
-  and "asset"."fileCreatedAt" >= $2
-  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  "asset"."fileCreatedAt" >= $1
+  and "asset_exif"."lensModel" = $2
+  and "asset"."ownerId" = any ($3::uuid[])
+  and "asset"."isFavorite" = $4
  and "asset"."deletedAt" is null
 order by
-  smart_search.embedding <=> $6
+  smart_search.embedding <=> $5
 limit
-  $7
+  $6
 offset
-  $8
+  $7
 commit

 -- SearchRepository.getEmbedding
@@ -117,7 +117,8 @@ type BaseAssetSearchOptions = SearchDateOptions &
  SearchAlbumOptions &
  SearchOcrOptions;

-export type AssetSearchOptions = BaseAssetSearchOptions & SearchRelationOptions;
+export type AssetSearchOptions = Omit<BaseAssetSearchOptions, 'visibility'> &
+  SearchRelationOptions & { visibility?: AssetVisibility | 'not-locked' };

 export type AssetSearchBuilderOptions = Omit<AssetSearchOptions, 'orderDirection'>;

@@ -125,11 +126,11 @@ export type SmartSearchOptions = SearchDateOptions &
  SearchEmbeddingOptions &
  SearchExifOptions &
  SearchOneToOneRelationOptions &
-  SearchStatusOptions &
+  Omit<SearchStatusOptions, 'visibility'> &
  SearchUserIdOptions &
  SearchPeopleOptions &
  SearchTagOptions &
-  SearchOcrOptions;
+  SearchOcrOptions & { visibility?: AssetVisibility | 'not-locked' };

 export type OcrSearchOptions = SearchDateOptions & SearchOcrOptions;

@@ -250,7 +250,7 @@ describe(SearchService.name, () => {
      );
      expect(mocks.search.searchSmart).toHaveBeenCalledWith(
        { page: 1, size: 100 },
-        { query: 'test', embedding: '[1, 2, 3]', userIds: [authStub.user1.user.id] },
+        { query: 'test', embedding: '[1, 2, 3]', userIds: [authStub.user1.user.id], visibility: 'not-locked' },
      );
    });

@@ -73,14 +73,22 @@ export class SearchService extends BaseService {
      checksum = Buffer.from(dto.checksum, encoding);
    }

+    let userIds: string[] | undefined;
+
+    if (dto.albumIds && dto.albumIds.length > 0) {
+      await this.requireAccess({ auth, ids: dto.albumIds, permission: Permission.AlbumRead });
+    } else {
+      userIds = await this.getUserIdsToSearch(auth, dto.visibility);
+    }
+
    const page = dto.page ?? 1;
    const size = dto.size || 250;
-    const userIds = await this.getUserIdsToSearch(auth, dto.visibility);
    const { hasNextPage, items } = await this.searchRepository.searchMetadata(
      { page, size },
      {
        ...dto,
        checksum,
+        visibility: dto.visibility ?? (auth.session?.hasElevatedPermission ? undefined : 'not-locked'),
        userIds,
        orderDirection: dto.order ?? AssetOrder.Desc,
      },
@@ -91,9 +99,13 @@ export class SearchService extends BaseService {

  async searchStatistics(auth: AuthDto, dto: StatisticsSearchDto): Promise<SearchStatisticsResponseDto> {
    const userIds = await this.getUserIdsToSearch(auth);
+    if (dto.visibility === AssetVisibility.Locked) {
+      requireElevatedPermission(auth);
+    }

    return await this.searchRepository.searchStatistics({
      ...dto,
+      visibility: dto.visibility ?? (auth.session?.hasElevatedPermission ? undefined : 'not-locked'),
      userIds,
    });
  }
@@ -114,7 +126,11 @@ export class SearchService extends BaseService {
    }

    const userIds = await this.getUserIdsToSearch(auth, dto.visibility);
-    const items = await this.searchRepository.searchLargeAssets(dto.size || 250, { ...dto, userIds });
+    const items = await this.searchRepository.searchLargeAssets(dto.size || 250, {
+      ...dto,
+      visibility: dto.visibility ?? (auth.session?.hasElevatedPermission ? undefined : 'not-locked'),
+      userIds,
+    });
    return items.map((item) => mapAsset(item, { auth }));
  }

@@ -155,7 +171,12 @@ export class SearchService extends BaseService {
    const size = dto.size || 100;
    const { hasNextPage, items } = await this.searchRepository.searchSmart(
      { page, size },
-      { ...dto, userIds: await userIds, embedding },
+      {
+        ...dto,
+        userIds: await userIds,
+        embedding,
+        visibility: dto.visibility ?? (auth.session?.hasElevatedPermission ? undefined : 'not-locked'),
+      },
    );

    return this.mapResponse(items, hasNextPage ? (page + 1).toString() : null, { auth });
@@ -373,12 +373,15 @@ const joinDeduplicationPlugin = new DeduplicateJoinsPlugin();

 export function searchAssetBuilder(kysely: Kysely<DB>, options: AssetSearchBuilderOptions) {
  options.withDeleted ||= !!(options.trashedAfter || options.trashedBefore || options.isOffline);
-  const visibility = options.visibility == null ? AssetVisibility.Timeline : options.visibility;

  return kysely
    .withPlugin(joinDeduplicationPlugin)
    .selectFrom('asset')
-    .where('asset.visibility', '=', visibility)
+    .$if(!!options.visibility, (qb) =>
+      options.visibility === 'not-locked'
+        ? qb.where('asset.visibility', '!=', AssetVisibility.Locked)
+        : qb.where('asset.visibility', '=', options.visibility!),
+    )
    .$if(!!options.albumIds && options.albumIds.length > 0, (qb) => inAlbums(qb, options.albumIds!))
    .$if(!!options.tagIds && options.tagIds.length > 0, (qb) => hasTags(qb, options.tagIds!))
    .$if(options.tagIds === null, (qb) =>
@@ -1,5 +1,6 @@
 import { Kysely } from 'kysely';
 import { SearchSuggestionType } from 'src/dtos/search.dto';
+import { AlbumUserRole, AssetVisibility } from 'src/enum';
 import { AccessRepository } from 'src/repositories/access.repository';
 import { AssetRepository } from 'src/repositories/asset.repository';
 import { DatabaseRepository } from 'src/repositories/database.repository';
@@ -108,6 +109,71 @@ describe(SearchService.name, () => {
      expect(response.assets.items.length).toBe(1);
      expect(response.assets.items[0].id).toBe(unstackedAsset.id);
    });
+
+    describe('visibility', () => {
+      it('should filter out locked assets in a default session', async () => {
+        const { sut, ctx } = setup();
+        const { user } = await ctx.newUser();
+
+        await ctx.newAsset({ ownerId: user.id, visibility: AssetVisibility.Locked });
+
+        const auth = factory.auth({ user: { id: user.id } });
+
+        const response = await sut.searchMetadata(auth, { withStacked: false });
+
+        expect(response.assets.items.length).toBe(0);
+      });
+
+      it('should return locked assets in an elevated session', async () => {
+        const { sut, ctx } = setup();
+        const { user } = await ctx.newUser();
+
+        await ctx.newAsset({ ownerId: user.id, visibility: AssetVisibility.Locked });
+
+        const auth = factory.auth({ user: { id: user.id }, session: { hasElevatedPermission: true } });
+
+        const response = await sut.searchMetadata(auth, { withStacked: false });
+
+        expect(response.assets.items.length).toBe(1);
+      });
+    });
+  });
+
+  describe('albumIds option', () => {
+    it('should return assets from shared album', async () => {
+      const { sut, ctx } = setup();
+      const { user } = await ctx.newUser();
+      const { user: otherUser } = await ctx.newUser();
+
+      const { asset } = await ctx.newAsset({ ownerId: otherUser.id });
+      const { album } = await ctx.newAlbum({ ownerId: otherUser.id });
+      await ctx.newAlbumAsset({ albumId: album.id, assetId: asset.id });
+      await ctx.newAlbumUser({ albumId: album.id, userId: user.id, role: AlbumUserRole.Editor });
+
+      const auth = factory.auth({ user: { id: user.id } });
+
+      const response = await sut.searchMetadata(auth, { albumIds: [album.id] });
+
+      expect(response.assets.items.length).toBe(1);
+    });
+
+    it('should not return assets for album, a user is not in, when partner sharing is enabled', async () => {
+      const { sut, ctx } = setup();
+      const { user } = await ctx.newUser();
+      const { user: otherUser } = await ctx.newUser();
+
+      await ctx.newPartner({ sharedById: otherUser.id, sharedWithId: user.id });
+
+      const { asset } = await ctx.newAsset({ ownerId: otherUser.id });
+      const { album } = await ctx.newAlbum({ ownerId: otherUser.id });
+      await ctx.newAlbumAsset({ albumId: album.id, assetId: asset.id });
+
+      const auth = factory.auth({ user: { id: user.id } });
+
+      await expect(sut.searchMetadata(auth, { albumIds: [album.id] })).rejects.toThrow(
+        'Not found or no album.read access',
+      );
+    });
  });

  describe('getSearchSuggestions', () => {
@@ -27,7 +27,7 @@ const authFactory = ({
  user,
 }: {
  apiKey?: Partial<AuthApiKey>;
-  session?: { id: string };
+  session?: { id?: string; hasElevatedPermission?: boolean };
  user?: Omit<
    Partial<UserAdmin>,
    'createdAt' | 'updatedAt' | 'deletedAt' | 'fileCreatedAt' | 'fileModifiedAt' | 'localDateTime' | 'profileChangedAt'
@@ -46,8 +46,8 @@ const authFactory = ({

  if (session) {
    auth.session = {
-      id: session.id,
-      hasElevatedPermission: false,
+      id: session.id ?? newUuid(),
+      hasElevatedPermission: session.hasElevatedPermission ?? false,
    };
  }
Author	SHA1	Message	Date
Daniel Dietzler	deeb042a9e	feat: honor album access permissions in search endpoints (#29352 )	2026-06-29 22:27:22 +02:00
Daniel Dietzler	b4cc406a3f	fix!: search endpoints visibility can be omitted (#29385 )	2026-06-29 22:00:02 +02:00