fix(server): scoped permissions for more endpoints

mobile/lib/domain/utils/background_sync.dart

@@ -1,5 +1,6 @@
 import 'dart:async';
 
+import 'package:immich_mobile/domain/utils/migrate_cloud_ids.dart' as m;
 import 'package:immich_mobile/domain/utils/sync_linked_album.dart';
 import 'package:immich_mobile/providers/infrastructure/sync.provider.dart';
 import 'package:immich_mobile/utils/isolate.dart';
@@ -22,8 +23,13 @@ class BackgroundSyncManager {
   final SyncCallback? onHashingComplete;
   final SyncErrorCallback? onHashingError;
 
+  final SyncCallback? onCloudIdSyncStart;
+  final SyncCallback? onCloudIdSyncComplete;
+  final SyncErrorCallback? onCloudIdSyncError;
+
   Cancelable<bool?>? _syncTask;
   Cancelable<void>? _syncWebsocketTask;
+  Cancelable<void>? _cloudIdSyncTask;
   Cancelable<void>? _deviceAlbumSyncTask;
   Cancelable<void>? _linkedAlbumSyncTask;
   Cancelable<void>? _hashTask;
@@ -38,6 +44,9 @@ class BackgroundSyncManager {
     this.onHashingStart,
     this.onHashingComplete,
     this.onHashingError,
+    this.onCloudIdSyncStart,
+    this.onCloudIdSyncComplete,
+    this.onCloudIdSyncError,
   });
 
   Future<void> cancel() async {
@@ -55,6 +64,12 @@ class BackgroundSyncManager {
     _syncWebsocketTask?.cancel();
     _syncWebsocketTask = null;
 
+    if (_cloudIdSyncTask != null) {
+      futures.add(_cloudIdSyncTask!.future);
+    }
+    _cloudIdSyncTask?.cancel();
+    _cloudIdSyncTask = null;
+
     if (_linkedAlbumSyncTask != null) {
       futures.add(_linkedAlbumSyncTask!.future);
     }
@@ -201,6 +216,25 @@ class BackgroundSyncManager {
       _linkedAlbumSyncTask = null;
     });
   }
+
+  Future<void> syncCloudIds() {
+    if (_cloudIdSyncTask != null) {
+      return _cloudIdSyncTask!.future;
+    }
+
+    onCloudIdSyncStart?.call();
+
+    _cloudIdSyncTask = runInIsolateGentle(computation: m.syncCloudIds);
+    return _cloudIdSyncTask!
+        .whenComplete(() {
+          onCloudIdSyncComplete?.call();
+          _cloudIdSyncTask = null;
+        })
+        .catchError((error) {
+          onCloudIdSyncError?.call(error.toString());
+          _cloudIdSyncTask = null;
+        });
+  }
 }
 
 Cancelable<void> _handleWsAssetUploadReadyV1Batch(List<dynamic> batchData) => runInIsolateGentle(

mobile/lib/domain/utils/migrate_cloud_ids.dart

@@ -10,13 +10,14 @@ import 'package:immich_mobile/infrastructure/repositories/local_album.repository
 import 'package:immich_mobile/platform/native_sync_api.g.dart';
 import 'package:immich_mobile/providers/api.provider.dart';
 import 'package:immich_mobile/providers/infrastructure/db.provider.dart';
+import 'package:immich_mobile/providers/infrastructure/sync.provider.dart';
 import 'package:immich_mobile/providers/server_info.provider.dart';
 import 'package:immich_mobile/providers/user.provider.dart';
 import 'package:logging/logging.dart';
 // ignore: import_rule_openapi
 import 'package:openapi/api.dart' hide AssetVisibility;
 
-Future<void> syncCloudIds(Ref ref) async {
+Future<void> syncCloudIds(ProviderContainer ref) async {
   if (!CurrentPlatform.isIOS) {
     return;
   }
@@ -34,6 +35,14 @@ Future<void> syncCloudIds(Ref ref) async {
   }
   final canBulkUpdateMetadata = serverInfo.serverVersion.isAtLeast(major: 2, minor: 5);
 
+  // Wait for remote sync to complete, so we have up-to-date asset metadata entries
+  try {
+    await ref.read(syncStreamServiceProvider).sync();
+  } catch (e, s) {
+    logger.fine('Failed to complete remote sync before cloudId migration.', e, s);
+    return;
+  }
+
   // Fetch the mapping for backed up assets that have a cloud ID locally but do not have a cloud ID on the server
   final currentUser = ref.read(currentUserProvider);
   if (currentUser == null) {

mobile/lib/pages/common/splash_screen.page.dart

@@ -75,6 +75,7 @@ class SplashScreenPageState extends ConsumerState<SplashScreenPage> {
                       _resumeBackup(backupProvider);
                     }),
                     _resumeBackup(backupProvider),
+                    backgroundManager.syncCloudIds(),
                   ]);
                 } else {
                   await backgroundManager.hashAssets();

mobile/lib/providers/app_life_cycle.provider.dart

@@ -3,7 +3,6 @@ import 'dart:async';
 import 'package:hooks_riverpod/hooks_riverpod.dart';
 import 'package:immich_mobile/domain/models/store.model.dart';
 import 'package:immich_mobile/domain/services/log.service.dart';
-import 'package:immich_mobile/domain/utils/migrate_cloud_ids.dart';
 import 'package:immich_mobile/entities/store.entity.dart';
 import 'package:immich_mobile/extensions/platform_extensions.dart';
 import 'package:immich_mobile/models/backup/backup_state.model.dart';
@@ -157,11 +156,11 @@ class AppLifeCycleNotifier extends StateNotifier<AppLifeCycleEnum> {
       ]);
       if (syncSuccess) {
         await Future.wait([
-          _safeRun(syncCloudIds(_ref), "syncCloudIds"),
           _safeRun(backgroundManager.hashAssets(), "hashAssets").then((_) {
             _resumeBackup();
           }),
           _resumeBackup(),
+          _safeRun(backgroundManager.syncCloudIds(), "syncCloudIds"),
         ]);
       } else {
         await _safeRun(backgroundManager.hashAssets(), "hashAssets");

mobile/lib/providers/auth.provider.dart

@@ -1,23 +1,19 @@
-import 'dart:async';
-
 import 'package:flutter_udid/flutter_udid.dart';
 import 'package:hooks_riverpod/hooks_riverpod.dart';
 import 'package:immich_mobile/constants/constants.dart';
 import 'package:immich_mobile/domain/models/store.model.dart';
 import 'package:immich_mobile/domain/models/user.model.dart';
 import 'package:immich_mobile/domain/services/user.service.dart';
-import 'package:immich_mobile/domain/utils/migrate_cloud_ids.dart';
 import 'package:immich_mobile/entities/store.entity.dart';
 import 'package:immich_mobile/models/auth/auth_state.model.dart';
 import 'package:immich_mobile/models/auth/login_response.model.dart';
 import 'package:immich_mobile/providers/api.provider.dart';
-import 'package:immich_mobile/providers/background_sync.provider.dart';
 import 'package:immich_mobile/providers/infrastructure/user.provider.dart';
 import 'package:immich_mobile/services/api.service.dart';
 import 'package:immich_mobile/services/auth.service.dart';
-import 'package:immich_mobile/services/background_upload.service.dart';
 import 'package:immich_mobile/services/foreground_upload.service.dart';
 import 'package:immich_mobile/services/secure_storage.service.dart';
+import 'package:immich_mobile/services/background_upload.service.dart';
 import 'package:immich_mobile/services/widget.service.dart';
 import 'package:immich_mobile/utils/debug_print.dart';
 import 'package:immich_mobile/utils/hash.dart';
@@ -176,15 +172,6 @@ class AuthNotifier extends StateNotifier<AuthState> {
       isAdmin: user.isAdmin,
     );
 
-    // TODO: Temporarily run cloud Id sync here until we have a better place to do it
-    unawaited(
-      _ref.read(backgroundSyncProvider).syncRemote().then((success) {
-        if (success) {
-          return syncCloudIds(_ref);
-        }
-      }),
-    );
-
     return true;
   }
 

mobile/lib/providers/background_sync.provider.dart

@@ -28,6 +28,9 @@ final backgroundSyncProvider = Provider<BackgroundSyncManager>((ref) {
     onHashingStart: syncStatusNotifier.startHashJob,
     onHashingComplete: syncStatusNotifier.completeHashJob,
     onHashingError: syncStatusNotifier.errorHashJob,
+    onCloudIdSyncStart: syncStatusNotifier.startCloudIdSync,
+    onCloudIdSyncComplete: syncStatusNotifier.completeCloudIdSync,
+    onCloudIdSyncError: syncStatusNotifier.errorCloudIdSync,
   );
   ref.onDispose(manager.cancel);
   return manager;

mobile/lib/providers/sync_status.provider.dart

@@ -21,6 +21,7 @@ class SyncStatusState {
   final SyncStatus remoteSyncStatus;
   final SyncStatus localSyncStatus;
   final SyncStatus hashJobStatus;
+  final SyncStatus cloudIdSyncStatus;
 
   final String? errorMessage;
 
@@ -28,6 +29,7 @@ class SyncStatusState {
     this.remoteSyncStatus = SyncStatus.idle,
     this.localSyncStatus = SyncStatus.idle,
     this.hashJobStatus = SyncStatus.idle,
+    this.cloudIdSyncStatus = SyncStatus.idle,
     this.errorMessage,
   });
 
@@ -35,12 +37,14 @@ class SyncStatusState {
     SyncStatus? remoteSyncStatus,
     SyncStatus? localSyncStatus,
     SyncStatus? hashJobStatus,
+    SyncStatus? cloudIdSyncStatus,
     String? errorMessage,
   }) {
     return SyncStatusState(
       remoteSyncStatus: remoteSyncStatus ?? this.remoteSyncStatus,
       localSyncStatus: localSyncStatus ?? this.localSyncStatus,
       hashJobStatus: hashJobStatus ?? this.hashJobStatus,
+      cloudIdSyncStatus: cloudIdSyncStatus ?? this.cloudIdSyncStatus,
       errorMessage: errorMessage ?? this.errorMessage,
     );
   }
@@ -48,6 +52,7 @@ class SyncStatusState {
   bool get isRemoteSyncing => remoteSyncStatus == SyncStatus.syncing;
   bool get isLocalSyncing => localSyncStatus == SyncStatus.syncing;
   bool get isHashing => hashJobStatus == SyncStatus.syncing;
+  bool get isCloudIdSyncing => cloudIdSyncStatus == SyncStatus.syncing;
 
   @override
   bool operator ==(Object other) {
@@ -56,11 +61,12 @@ class SyncStatusState {
         other.remoteSyncStatus == remoteSyncStatus &&
         other.localSyncStatus == localSyncStatus &&
         other.hashJobStatus == hashJobStatus &&
+        other.cloudIdSyncStatus == cloudIdSyncStatus &&
         other.errorMessage == errorMessage;
   }
 
   @override
-  int get hashCode => Object.hash(remoteSyncStatus, localSyncStatus, hashJobStatus, errorMessage);
+  int get hashCode => Object.hash(remoteSyncStatus, localSyncStatus, hashJobStatus, cloudIdSyncStatus, errorMessage);
 }
 
 class SyncStatusNotifier extends Notifier<SyncStatusState> {
@@ -71,6 +77,7 @@ class SyncStatusNotifier extends Notifier<SyncStatusState> {
       remoteSyncStatus: SyncStatus.idle,
       localSyncStatus: SyncStatus.idle,
       hashJobStatus: SyncStatus.idle,
+      cloudIdSyncStatus: SyncStatus.idle,
     );
   }
 
@@ -109,6 +116,18 @@ class SyncStatusNotifier extends Notifier<SyncStatusState> {
   void startHashJob() => setHashJobStatus(SyncStatus.syncing);
   void completeHashJob() => setHashJobStatus(SyncStatus.success);
   void errorHashJob(String error) => setHashJobStatus(SyncStatus.error, error);
+
+  ///
+  /// Cloud ID Sync Job
+  ///
+
+  void setCloudIdSyncStatus(SyncStatus status, [String? errorMessage]) {
+    state = state.copyWith(cloudIdSyncStatus: status, errorMessage: status == SyncStatus.error ? errorMessage : null);
+  }
+
+  void startCloudIdSync() => setCloudIdSyncStatus(SyncStatus.syncing);
+  void completeCloudIdSync() => setCloudIdSyncStatus(SyncStatus.success);
+  void errorCloudIdSync(String error) => setCloudIdSyncStatus(SyncStatus.error, error);
 }
 
 final syncStatusProvider = NotifierProvider<SyncStatusNotifier, SyncStatusState>(SyncStatusNotifier.new);

mobile/openapi/lib/model/permission.dart

@@ -168,6 +168,7 @@ class Permission {
   static const queueJobPeriodRead = Permission._(r'queueJob.read');
   static const queueJobPeriodUpdate = Permission._(r'queueJob.update');
   static const queueJobPeriodDelete = Permission._(r'queueJob.delete');
+  static const viewPeriodFolder = Permission._(r'view.folder');
   static const workflowPeriodCreate = Permission._(r'workflow.create');
   static const workflowPeriodRead = Permission._(r'workflow.read');
   static const workflowPeriodUpdate = Permission._(r'workflow.update');
@@ -326,6 +327,7 @@ class Permission {
     queueJobPeriodRead,
     queueJobPeriodUpdate,
     queueJobPeriodDelete,
+    viewPeriodFolder,
     workflowPeriodCreate,
     workflowPeriodRead,
     workflowPeriodUpdate,
@@ -519,6 +521,7 @@ class PermissionTypeTransformer {
         case r'queueJob.read': return Permission.queueJobPeriodRead;
         case r'queueJob.update': return Permission.queueJobPeriodUpdate;
         case r'queueJob.delete': return Permission.queueJobPeriodDelete;
+        case r'view.folder': return Permission.viewPeriodFolder;
         case r'workflow.create': return Permission.workflowPeriodCreate;
         case r'workflow.read': return Permission.workflowPeriodRead;
         case r'workflow.update': return Permission.workflowPeriodUpdate;

open-api/immich-openapi-specs.json

@@ -3173,6 +3173,7 @@
             "state": "Stable"
           }
         ],
+        "x-immich-permission": "asset.upload",
         "x-immich-state": "Stable"
       }
     },
@@ -3225,6 +3226,7 @@
             "state": "Stable"
           }
         ],
+        "x-immich-permission": "job.create",
         "x-immich-state": "Stable"
       }
     },
@@ -14618,6 +14620,7 @@
             "state": "Stable"
           }
         ],
+        "x-immich-permission": "view.folder",
         "x-immich-state": "Stable"
       }
     },
@@ -14670,6 +14673,7 @@
             "state": "Stable"
           }
         ],
+        "x-immich-permission": "view.folder",
         "x-immich-state": "Stable"
       }
     },
@@ -19054,6 +19058,7 @@
           "queueJob.read",
           "queueJob.update",
           "queueJob.delete",
+          "view.folder",
           "workflow.create",
           "workflow.read",
           "workflow.update",

open-api/typescript-sdk/src/fetch-client.ts

@@ -5620,6 +5620,7 @@ export enum Permission {
     QueueJobRead = "queueJob.read",
     QueueJobUpdate = "queueJob.update",
     QueueJobDelete = "queueJob.delete",
+    ViewFolder = "view.folder",
     WorkflowCreate = "workflow.create",
     WorkflowRead = "workflow.read",
     WorkflowUpdate = "workflow.update",

server/src/controllers/asset-media.controller.ts

@@ -202,7 +202,7 @@ export class AssetMediaController {
   }
 
   @Post('exist')
-  @Authenticated()
+  @Authenticated({ permission: Permission.AssetUpload })
   @Endpoint({
     summary: 'Check existing assets',
     description: 'Checks if multiple assets exist on the server and returns all existing - used by background backup',

server/src/controllers/asset.controller.ts

@@ -66,7 +66,7 @@ export class AssetController {
   }
 
   @Post('jobs')
-  @Authenticated()
+  @Authenticated({ permission: Permission.JobCreate })
   @HttpCode(HttpStatus.NO_CONTENT)
   @Endpoint({
     summary: 'Run an asset job',

server/src/controllers/view.controller.ts

@@ -3,7 +3,7 @@ import { ApiTags } from '@nestjs/swagger';
 import { Endpoint, HistoryBuilder } from 'src/decorators';
 import { AssetResponseDto } from 'src/dtos/asset-response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { ApiTag } from 'src/enum';
+import { ApiTag, Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { ViewService } from 'src/services/view.service';
 
@@ -13,7 +13,7 @@ export class ViewController {
   constructor(private service: ViewService) {}
 
   @Get('folder/unique-paths')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ViewFolder })
   @Endpoint({
     summary: 'Retrieve unique paths',
     description: 'Retrieve a list of unique folder paths from asset original paths.',
@@ -24,7 +24,7 @@ export class ViewController {
   }
 
   @Get('folder')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ViewFolder })
   @Endpoint({
     summary: 'Retrieve assets by original path',
     description: 'Retrieve assets that are children of a specific folder.',

server/src/enum.ts

@@ -270,6 +270,8 @@ export enum Permission {
   QueueJobUpdate = 'queueJob.update',
   QueueJobDelete = 'queueJob.delete',
 
+  ViewFolder = 'view.folder',
+
   WorkflowCreate = 'workflow.create',
   WorkflowRead = 'workflow.read',
   WorkflowUpdate = 'workflow.update',