feat: verify permissions

chore: update uv version setting command in release script (#25583 )
chore: post release tasks (#25582 )
2026-01-29 08:14:47 -08:00 · 2026-01-28 15:45:11 -05:00 · 2026-01-28 13:56:25 +00:00 · 2026-01-28 08:55:58 -05:00 · 2026-01-28 08:55:11 -05:00 · 2026-01-28 13:55:18 +01:00
15 changed files with 207 additions and 45 deletions
--- a/cli/src/commands/asset.ts
+++ b/cli/src/commands/asset.ts
@@ -4,6 +4,7 @@ import {
  AssetBulkUploadCheckResult,
  AssetMediaResponseDto,
  AssetMediaStatus,
+  Permission,
  addAssetsToAlbum,
  checkBulkUpload,
  createAlbum,
@@ -20,13 +21,11 @@ import { Stats, createReadStream } from 'node:fs';
 import { stat, unlink } from 'node:fs/promises';
 import path, { basename } from 'node:path';
 import { Queue } from 'src/queue';
-import { BaseOptions, Batcher, authenticate, crawl, sha1 } from 'src/utils';
+import { BaseOptions, Batcher, authenticate, crawl, requirePermissions, s, sha1 } from 'src/utils';

 const UPLOAD_WATCH_BATCH_SIZE = 100;
 const UPLOAD_WATCH_DEBOUNCE_TIME_MS = 10_000;

-const s = (count: number) => (count === 1 ? '' : 's');
-
 // TODO figure out why `id` is missing
 type AssetBulkUploadCheckResults = Array<AssetBulkUploadCheckResult & { id: string }>;
 type Asset = { id: string; filepath: string };
@@ -136,6 +135,7 @@ export const startWatch = async (

 export const upload = async (paths: string[], baseOptions: BaseOptions, options: UploadOptionsDto) => {
  await authenticate(baseOptions);
+  await requirePermissions([Permission.AssetUpload]);

  const scanFiles = await scan(paths, options);

--- a/cli/src/commands/auth.ts
+++ b/cli/src/commands/auth.ts
@@ -1,7 +1,15 @@
-import { getMyUser } from '@immich/sdk';
+import { getMyUser, Permission } from '@immich/sdk';
 import { existsSync } from 'node:fs';
 import { mkdir, unlink } from 'node:fs/promises';
-import { BaseOptions, connect, getAuthFilePath, logError, withError, writeAuthFile } from 'src/utils';
+import {
+  BaseOptions,
+  connect,
+  getAuthFilePath,
+  logError,
+  requirePermissions,
+  withError,
+  writeAuthFile,
+} from 'src/utils';

 export const login = async (url: string, key: string, options: BaseOptions) => {
  console.log(`Logging in to ${url}`);
@@ -9,6 +17,7 @@ export const login = async (url: string, key: string, options: BaseOptions) => {
  const { configDirectory: configDir } = options;

  await connect(url, key);
+  await requirePermissions([Permission.UserRead]);

  const [error, user] = await withError(getMyUser());
  if (error) {
--- a/cli/src/commands/server-info.ts
+++ b/cli/src/commands/server-info.ts
@@ -1,8 +1,9 @@
-import { getAssetStatistics, getMyUser, getServerVersion, getSupportedMediaTypes } from '@immich/sdk';
-import { BaseOptions, authenticate } from 'src/utils';
+import { getAssetStatistics, getMyUser, getServerVersion, getSupportedMediaTypes, Permission } from '@immich/sdk';
+import { authenticate, BaseOptions, requirePermissions } from 'src/utils';

 export const serverInfo = async (options: BaseOptions) => {
  const { url } = await authenticate(options);
+  await requirePermissions([Permission.ServerAbout, Permission.AssetStatistics, Permission.UserRead]);

  const [versionInfo, mediaTypes, stats, userInfo] = await Promise.all([
    getServerVersion(),
--- a/cli/src/utils.ts
+++ b/cli/src/utils.ts
@@ -1,4 +1,4 @@
-import { getMyUser, init, isHttpError } from '@immich/sdk';
+import { ApiKeyResponseDto, getMyApiKey, getMyUser, init, isHttpError, Permission } from '@immich/sdk';
 import { convertPathToPattern, glob } from 'fast-glob';
 import { createHash } from 'node:crypto';
 import { createReadStream } from 'node:fs';
@@ -34,6 +34,36 @@ export const authenticate = async (options: BaseOptions): Promise<AuthDto> => {
  return auth;
 };

+export const s = (count: number) => (count === 1 ? '' : 's');
+
+let _apiKey: ApiKeyResponseDto;
+export const requirePermissions = async (permissions: Permission[]) => {
+  if (!_apiKey) {
+    _apiKey = await getMyApiKey();
+  }
+
+  if (_apiKey.permissions.includes(Permission.All)) {
+    return;
+  }
+
+  const missing: Permission[] = [];
+
+  for (const permission of permissions) {
+    if (!_apiKey.permissions.includes(permission)) {
+      missing.push(permission);
+    }
+  }
+
+  if (missing.length > 0) {
+    const combined = missing.map((permission) => `"${permission}"`).join(', ');
+    console.log(
+      `Missing required permission${s(missing.length)}: ${combined}.
+Please make sure your API key has the correct permissions.`,
+    );
+    process.exit(1);
+  }
+};
+
 export const connect = async (url: string, key: string) => {
  const wellKnownUrl = new URL('.well-known/immich', url);
  try {
--- a/e2e/src/web/specs/search/search-gallery.ui-spec.ts
+++ b/e2e/src/web/specs/search/search-gallery.ui-spec.ts
@@ -0,0 +1,116 @@
+import { faker } from '@faker-js/faker';
+import { expect, test } from '@playwright/test';
+import {
+  Changes,
+  createDefaultTimelineConfig,
+  generateTimelineData,
+  TimelineAssetConfig,
+  TimelineData,
+} from 'src/generators/timeline';
+import { setupBaseMockApiRoutes } from 'src/mock-network/base-network';
+import { setupTimelineMockApiRoutes, TimelineTestContext } from 'src/mock-network/timeline-network';
+import { assetViewerUtils } from 'src/web/specs/timeline/utils';
+
+const buildSearchUrl = (assetId: string) => {
+  const searchQuery = encodeURIComponent(JSON.stringify({ originalFileName: 'test' }));
+  return `/search/photos/${assetId}?query=${searchQuery}`;
+};
+
+test.describe.configure({ mode: 'parallel' });
+test.describe('search gallery-viewer', () => {
+  let adminUserId: string;
+  let timelineRestData: TimelineData;
+  const assets: TimelineAssetConfig[] = [];
+  const testContext = new TimelineTestContext();
+  const changes: Changes = {
+    albumAdditions: [],
+    assetDeletions: [],
+    assetArchivals: [],
+    assetFavorites: [],
+  };
+
+  test.beforeAll(async () => {
+    adminUserId = faker.string.uuid();
+    testContext.adminId = adminUserId;
+    timelineRestData = generateTimelineData({ ...createDefaultTimelineConfig(), ownerId: adminUserId });
+    for (const timeBucket of timelineRestData.buckets.values()) {
+      assets.push(...timeBucket);
+    }
+  });
+
+  test.beforeEach(async ({ context }) => {
+    await setupBaseMockApiRoutes(context, adminUserId);
+    await setupTimelineMockApiRoutes(context, timelineRestData, changes, testContext);
+
+    await context.route('**/api/search/metadata', async (route, request) => {
+      if (request.method() === 'POST') {
+        const searchAssets = assets.slice(0, 5).filter((asset) => !changes.assetDeletions.includes(asset.id));
+        return route.fulfill({
+          status: 200,
+          contentType: 'application/json',
+          json: {
+            albums: { total: 0, count: 0, items: [], facets: [] },
+            assets: {
+              total: searchAssets.length,
+              count: searchAssets.length,
+              items: searchAssets,
+              facets: [],
+              nextPage: null,
+            },
+          },
+        });
+      }
+      await route.fallback();
+    });
+  });
+
+  test.afterEach(() => {
+    testContext.slowBucket = false;
+    changes.albumAdditions = [];
+    changes.assetDeletions = [];
+    changes.assetArchivals = [];
+    changes.assetFavorites = [];
+  });
+
+  test.describe('/search/photos/:id', () => {
+    test('Deleting a photo advances to the next photo', async ({ page }) => {
+      const asset = assets[0];
+      await page.goto(buildSearchUrl(asset.id));
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[1]);
+    });
+
+    test('Deleting two photos in a row advances to the next photo each time', async ({ page }) => {
+      const asset = assets[0];
+      await page.goto(buildSearchUrl(asset.id));
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[1]);
+      await page.getByLabel('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[2]);
+    });
+
+    test('Navigating backward then deleting advances to the next photo', async ({ page }) => {
+      const asset = assets[1];
+      await page.goto(buildSearchUrl(asset.id));
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('View previous asset').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[0]);
+      await page.getByLabel('View next asset').click();
+      await assetViewerUtils.waitForViewerLoad(page, asset);
+      await page.getByLabel('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[2]);
+    });
+
+    test('Deleting the last photo advances to the previous photo', async ({ page }) => {
+      const lastAsset = assets[4];
+      await page.goto(buildSearchUrl(lastAsset.id));
+      await assetViewerUtils.waitForViewerLoad(page, lastAsset);
+      await expect(page.getByLabel('View next asset')).toHaveCount(0);
+      await page.getByLabel('Delete').click();
+      await assetViewerUtils.waitForViewerLoad(page, assets[3]);
+      await expect(page.getByLabel('View previous asset')).toBeVisible();
+    });
+  });
+});
--- a/misc/release/pump-version.sh
+++ b/misc/release/pump-version.sh
@@ -75,7 +75,7 @@ if [ "$CURRENT_SERVER" != "$NEXT_SERVER" ]; then
  pnpm --prefix server run build
  ( cd ./open-api && bash ./bin/generate-open-api.sh )

-  uvx --from=toml-cli toml set --toml-path=machine-learning/pyproject.toml project.version "$NEXT_SERVER"
+  uv version --directory machine-learning "$NEXT_SERVER"

  ./misc/release/archive-version.js "$NEXT_SERVER"
 fi
--- a/mise.toml
+++ b/mise.toml
@@ -1,5 +1,18 @@
 experimental_monorepo_root = true

+[monorepo]
+config_roots = [
+  "plugins",
+  "server",
+  "cli",
+  "deployment",
+  "mobile",
+  "e2e",
+  "web",
+  "docs",
+  ".github",
+]
+
 [tools]
 node = "24.13.0"
 flutter = "3.35.7"
--- a/mobile/ios/Runner.xcodeproj/project.pbxproj
+++ b/mobile/ios/Runner.xcodeproj/project.pbxproj
@@ -741,7 +741,7 @@
 				CODE_SIGN_ENTITLEMENTS = Runner/RunnerProfile.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 233;
+				CURRENT_PROJECT_VERSION = 240;
 				CUSTOM_GROUP_ID = group.app.immich.share;
 				DEVELOPMENT_TEAM = 2F67MQ8R79;
 				ENABLE_BITCODE = NO;
@@ -885,7 +885,7 @@
 				CODE_SIGN_ENTITLEMENTS = Runner/Runner.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 233;
+				CURRENT_PROJECT_VERSION = 240;
 				CUSTOM_GROUP_ID = group.app.immich.share;
 				DEVELOPMENT_TEAM = 2F67MQ8R79;
 				ENABLE_BITCODE = NO;
@@ -915,7 +915,7 @@
 				CODE_SIGN_ENTITLEMENTS = Runner/Runner.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 233;
+				CURRENT_PROJECT_VERSION = 240;
 				CUSTOM_GROUP_ID = group.app.immich.share;
 				DEVELOPMENT_TEAM = 2F67MQ8R79;
 				ENABLE_BITCODE = NO;
@@ -949,7 +949,7 @@
 				CODE_SIGN_ENTITLEMENTS = WidgetExtension/WidgetExtension.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 233;
+				CURRENT_PROJECT_VERSION = 240;
 				DEVELOPMENT_TEAM = 2F67MQ8R79;
 				ENABLE_USER_SCRIPT_SANDBOXING = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu17;
@@ -992,7 +992,7 @@
 				CODE_SIGN_ENTITLEMENTS = WidgetExtension/WidgetExtension.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 233;
+				CURRENT_PROJECT_VERSION = 240;
 				DEVELOPMENT_TEAM = 2F67MQ8R79;
 				ENABLE_USER_SCRIPT_SANDBOXING = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu17;
@@ -1032,7 +1032,7 @@
 				CODE_SIGN_ENTITLEMENTS = WidgetExtension/WidgetExtension.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 233;
+				CURRENT_PROJECT_VERSION = 240;
 				DEVELOPMENT_TEAM = 2F67MQ8R79;
 				ENABLE_USER_SCRIPT_SANDBOXING = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu17;
@@ -1071,7 +1071,7 @@
 				CODE_SIGN_ENTITLEMENTS = ShareExtension/ShareExtension.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 233;
+				CURRENT_PROJECT_VERSION = 240;
 				CUSTOM_GROUP_ID = group.app.immich.share;
 				DEVELOPMENT_TEAM = 2F67MQ8R79;
 				ENABLE_USER_SCRIPT_SANDBOXING = YES;
@@ -1115,7 +1115,7 @@
 				CODE_SIGN_ENTITLEMENTS = ShareExtension/ShareExtension.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 233;
+				CURRENT_PROJECT_VERSION = 240;
 				CUSTOM_GROUP_ID = group.app.immich.share;
 				DEVELOPMENT_TEAM = 2F67MQ8R79;
 				ENABLE_USER_SCRIPT_SANDBOXING = YES;
@@ -1156,7 +1156,7 @@
 				CODE_SIGN_ENTITLEMENTS = ShareExtension/ShareExtension.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 233;
+				CURRENT_PROJECT_VERSION = 240;
 				CUSTOM_GROUP_ID = group.app.immich.share;
 				DEVELOPMENT_TEAM = 2F67MQ8R79;
 				ENABLE_USER_SCRIPT_SANDBOXING = YES;
--- a/mobile/ios/Runner/Info.plist
+++ b/mobile/ios/Runner/Info.plist
@@ -107,7 +107,7 @@
 		</dict>
 	</array>
 	<key>CFBundleVersion</key>
-	<string>233</string>
+	<string>240</string>
 	<key>FLTEnableImpeller</key>
 	<true/>
 	<key>ITSAppUsesNonExemptEncryption</key>
--- a/mobile/ios/fastlane/README.md
+++ b/mobile/ios/fastlane/README.md
@@ -39,6 +39,14 @@ iOS Release to TestFlight

 iOS Manual Release

+### ios gha_build_only
+
+```sh
+[bundle exec] fastlane ios gha_build_only
+```
+
+iOS Build Only (no TestFlight upload)
+
 ----

 This README.md is auto-generated and will be re-generated every time [_fastlane_](https://fastlane.tools) is run.
--- a/server/src/maintenance/maintenance-worker.service.ts
+++ b/server/src/maintenance/maintenance-worker.service.ts
@@ -79,7 +79,7 @@ export class MaintenanceWorkerService {
    this.#secret = state.secret;
    this.#status = {
      active: true,
-      action: state.action.action,
+      action: state.action?.action ?? MaintenanceAction.Start,
    };

    StorageCore.setMediaLocation(this.detectMediaLocation());
@@ -88,7 +88,10 @@ export class MaintenanceWorkerService {
    this.maintenanceWebsocketRepository.setStatusUpdateFn((status) => (this.#status = status));

    await this.logSecret();
-    void this.runAction(state.action);
+
+    if (state.action) {
+      void this.runAction(state.action);
+    }
  }

  /**
--- a/server/src/types.ts
+++ b/server/src/types.ts
@@ -490,7 +490,7 @@ export interface MemoryData {
 export type VersionCheckMetadata = { checkedAt: string; releaseVersion: string };
 export type SystemFlags = { mountChecks: Record<StorageFolder, boolean> };
 export type MaintenanceModeState =
-  | { isMaintenanceMode: true; secret: string; action: SetMaintenanceModeDto }
+  | { isMaintenanceMode: true; secret: string; action?: SetMaintenanceModeDto }
  | { isMaintenanceMode: false };
 export type MemoriesState = {
  /** memories have already been created through this date */
--- a/web/src/lib/components/shared-components/gallery-viewer/gallery-viewer.svelte
+++ b/web/src/lib/components/shared-components/gallery-viewer/gallery-viewer.svelte
@@ -302,6 +302,7 @@
      case AssetAction.ARCHIVE:
      case AssetAction.DELETE:
      case AssetAction.TRASH: {
+        const nextAsset = assetCursor.nextAsset ?? assetCursor.previousAsset;
        assets.splice(
          assets.findIndex((currentAsset) => currentAsset.id === action.asset.id),
          1,
@@ -309,10 +310,8 @@
        if (assets.length === 0) {
          return await goto(Route.photos());
        }
-        if (assetCursor.nextAsset) {
-          await navigateToAsset(assetCursor.nextAsset);
-        } else if (assetCursor.previousAsset) {
-          await navigateToAsset(assetCursor.previousAsset);
+        if (nextAsset) {
+          await navigateToAsset(nextAsset);
        }
        break;
      }
--- a/web/src/lib/modals/AlbumOptionsModal.svelte
+++ b/web/src/lib/modals/AlbumOptionsModal.svelte
@@ -9,7 +9,6 @@
    handleUpdateAlbum,
    handleUpdateUserAlbumRole,
  } from '$lib/services/album.service';
-  import { user } from '$lib/stores/user.store';
  import {
    AlbumUserRole,
    AssetOrder,
@@ -108,9 +107,9 @@
        <div class="ps-2">
          <div class="flex items-center gap-2 mb-2">
            <div>
-              <UserAvatar user={$user} size="md" />
+              <UserAvatar user={album.owner} size="md" />
            </div>
-            <Text class="w-full" size="small">{$user.name}</Text>
+            <Text class="w-full" size="small">{album.owner.name}</Text>
            <Field disabled class="w-32 shrink-0">
              <Select options={[{ label: $t('owner'), value: 'owner' }]} value="owner" />
            </Field>
--- a/web/src/routes/(user)/search/[[photos=photos]]/[[assetId=id]]/+page.svelte
+++ b/web/src/routes/(user)/search/[[photos=photos]]/[[assetId=id]]/+page.svelte
@@ -1,7 +1,6 @@
 <script lang="ts">
  import { afterNavigate, goto } from '$app/navigation';
  import { page } from '$app/state';
-  import { shortcut } from '$lib/actions/shortcut';
  import ButtonContextMenu from '$lib/components/shared-components/context-menu/button-context-menu.svelte';
  import ControlAppBar from '$lib/components/shared-components/control-app-bar.svelte';
  import GalleryViewer from '$lib/components/shared-components/gallery-viewer/gallery-viewer.svelte';
@@ -24,7 +23,6 @@
  import type { Viewport } from '$lib/managers/timeline-manager/types';
  import { Route } from '$lib/route';
  import { AssetInteraction } from '$lib/stores/asset-interaction.svelte';
-  import { assetViewingStore } from '$lib/stores/asset-viewing.store';
  import { lang, locale } from '$lib/stores/preferences.store';
  import { preferences, user } from '$lib/stores/user.store';
  import { handlePromiseError } from '$lib/utils';
@@ -48,7 +46,6 @@
  import { tick, untrack } from 'svelte';
  import { t } from 'svelte-i18n';

-  let { isViewing: showAssetViewer } = assetViewingStore;
  const viewport: Viewport = $state({ width: 0, height: 0 });
  let searchResultsElement: HTMLElement | undefined = $state();

@@ -82,18 +79,6 @@
    untrack(() => handlePromiseError(onSearchQueryUpdate()));
  });

-  const onEscape = () => {
-    if ($showAssetViewer) {
-      return;
-    }
-
-    if (assetInteraction.selectionActive) {
-      assetInteraction.selectedAssets = [];
-      return;
-    }
-    handlePromiseError(goto(previousRoute));
-  };
-
  $effect(() => {
    if (scrollY) {
      scrollYHistory = scrollY;
@@ -260,7 +245,6 @@
 </script>

 <svelte:window bind:scrollY />
-<svelte:document use:shortcut={{ shortcut: { key: 'Escape' }, onShortcut: onEscape }} />

 {#if terms}
  <section
Author	SHA1	Message	Date
Jason Rasmussen	8f87477c13	feat: verify permissions	2026-01-28 15:45:11 -05:00
Timon	0cb153a971	chore: update uv version setting command in release script (#25583 )	2026-01-28 13:56:25 +00:00
Alex	12d23e987b	chore: post release tasks (#25582 )	2026-01-28 08:55:58 -05:00
Timon	9486eed97e	chore(mise): use explicit monorepo config (#25575 ) chore(mise): add monorepo configuration with multiple config roots	2026-01-28 08:55:11 -05:00
Paul Makles	913e939606	fix(server): don't assume maintenance action is set (#25622 )	2026-01-28 13:55:18 +01:00
Daniel Dietzler	9be01e79f7	fix: correctly show owner in album options modal (#25618 )	2026-01-28 06:24:02 -06:00
Daniel Dietzler	2d09853c3d	fix: escape handling in search asset viewer (#25621 )	2026-01-28 06:23:15 -06:00
Min Idzelis	91831f68e2	fix: deleting asset from asset-viewer on search results (#25596 )	2026-01-28 12:31:23 +01:00