chore(deps): update github-actions

feat: honor album access permissions in search endpoints (#29352 )
fix!: search endpoints visibility can be omitted (#29385 )
2026-06-30 10:07:09 -07:00 · 2026-06-30 16:18:39 +00:00 · 2026-06-29 22:27:22 +02:00 · 2026-06-29 22:00:02 +02:00
15 changed files with 147 additions and 304 deletions
@@ -103,7 +103,7 @@ jobs:
        working-directory: ./mobile
        run: printf "%s" $KEY_JKS | base64 -d > android/key.jks

-      - uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5.3.0
+      - uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5.4.0
        with:
          distribution: 'zulu'
          java-version: '17'
@@ -237,7 +237,7 @@ jobs:
        run: flutter build ios --config-only --no-codesign

      - name: Setup Ruby
-        uses: ruby/setup-ruby@89f90524b88a01fe6e0b732220432cc6142926af # v1.313.0
+        uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0
        with:
          ruby-version: '3.3'
          bundler-cache: true
@@ -25,7 +25,7 @@ jobs:
          persist-credentials: false

      - name: Check for breaking API changes
-        uses: oasdiff/oasdiff-action/breaking@e24529087d93f837b28b50bb66ba9016380a7fcc # v0.1.2
+        uses: oasdiff/oasdiff-action/breaking@ccc2442df0d99f8c419ed73e3de88641c91b3bc6 # v0.1.3
        with:
          base: https://raw.githubusercontent.com/${{ github.repository }}/main/open-api/immich-openapi-specs.json
          revision: open-api/immich-openapi-specs.json
@@ -149,7 +149,7 @@ jobs:
          github-token: ${{ steps.generate-token.outputs.token }}

      - name: Create draft release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
+        uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
        with:
          draft: true
          prerelease: ${{ needs.bump_version.outputs.rc }}
@@ -52,8 +52,6 @@ class RemoteAsset extends BaseAsset {

  bool get isTrashed => deletedAt != null;

-  bool get isStacked => stackId != null;
-
  @override
  String toString() {
    return '''Asset {
@@ -3,29 +3,25 @@ import 'package:immich_mobile/domain/models/asset/base_asset.model.dart';
 import 'package:immich_mobile/generated/translations.g.dart';
 import 'package:immich_mobile/presentation/actions/action.dart';
 import 'package:immich_mobile/providers/infrastructure/asset.provider.dart';
-import 'package:immich_mobile/utils/asset_filter.dart';
 import 'package:immich_ui/immich_ui.dart';

 class FavoriteAction extends AssetAction<RemoteAsset> {
-  final bool favorite;
+  final bool shouldFavorite;

-  FavoriteAction({required super.assets}) : favorite = assets.any((asset) => !asset.isFavorite);
+  FavoriteAction({required super.assets}) : shouldFavorite = assets.any((asset) => !asset.isFavorite);

  @override
-  IconData get icon => favorite ? Icons.favorite_border_rounded : Icons.favorite_rounded;
+  IconData get icon => shouldFavorite ? Icons.favorite_border_rounded : Icons.favorite_rounded;

  @override
-  String label(ActionScope scope) => favorite ? scope.context.t.favorite : scope.context.t.unfavorite;
+  String label(ActionScope scope) => shouldFavorite ? scope.context.t.favorite : scope.context.t.unfavorite;

  @override
-  Iterable<RemoteAsset> filter(ActionScope scope) {
-    final owned = AssetFilter(assets).owned(scope.authUser.id);
-    if (favorite) {
-      return owned.notFavorites();
-    } else {
-      return owned.favorites();
-    }
-  }
+  Iterable<RemoteAsset> filter(ActionScope scope) => assets
+      .where(
+        (asset) => asset is RemoteAsset && asset.ownerId == scope.authUser.id && asset.isFavorite == !shouldFavorite,
+      )
+      .cast<RemoteAsset>();

  @override
  bool isVisible(ActionScope scope) => filter(scope).isNotEmpty;
@@ -35,8 +31,8 @@ class FavoriteAction extends AssetAction<RemoteAsset> {
    final ActionScope(:ref) = scope;
    final assets = filter(scope).map((asset) => asset.id).toList(growable: false);

-    await ref.read(assetServiceProvider).updateFavorite(assets, favorite);
-    final message = favorite
+    await ref.read(assetServiceProvider).updateFavorite(assets, shouldFavorite);
+    final message = shouldFavorite
        ? StaticTranslations.instance.favorite_action_prompt(count: assets.length)
        : StaticTranslations.instance.unfavorite_action_prompt(count: assets.length);
    snackbar.success(message);
@@ -1,28 +0,0 @@
-import 'package:immich_mobile/domain/models/asset/base_asset.model.dart';
-
-extension type const AssetFilter<T extends BaseAsset>(Iterable<T> assets) implements Iterable<T> {
-  AssetFilter<T> where(bool Function(T asset) test) => AssetFilter(assets.where(test));
-  AssetFilter<T> whereNot(bool Function(T asset) test) => AssetFilter(assets.where((asset) => !test(asset)));
-
-  AssetFilter<T> type(AssetType type) => where((asset) => asset.type == type);
-  AssetFilter<T> favorites() => where(_isFavorite);
-  AssetFilter<T> notFavorites() => whereNot(_isFavorite);
-
-  AssetFilter<RemoteAsset> remote() => AssetFilter(assets.whereType<RemoteAsset>());
-  AssetFilter<RemoteAsset> owned(String ownerId) => remote().where((asset) => asset.ownerId == ownerId);
-  AssetFilter<RemoteAsset> visibility(AssetVisibility visibility) => remote().where(_hasVisibility(visibility));
-  AssetFilter<RemoteAsset> notVisibility(AssetVisibility visibility) => remote().whereNot(_hasVisibility(visibility));
-  AssetFilter<RemoteAsset> archived() => visibility(.archive);
-  AssetFilter<RemoteAsset> notArchived() => notVisibility(.archive);
-  AssetFilter<RemoteAsset> stacked() => remote().where(_isStacked);
-  AssetFilter<RemoteAsset> notStacked() => remote().whereNot(_isStacked);
-
-  AssetFilter<LocalAsset> local() => AssetFilter(assets.whereType<LocalAsset>());
-  AssetFilter<LocalAsset> backedUp() => local().where(_isBackedUp);
-}
-
-bool _isFavorite(BaseAsset asset) => asset.isFavorite;
-bool _isStacked(RemoteAsset asset) => asset.isStacked;
-bool _isBackedUp(LocalAsset asset) => asset.remoteAssetId != null;
-bool Function(RemoteAsset asset) _hasVisibility(AssetVisibility visibility) =>
-    (asset) => asset.visibility == visibility;
@@ -5,14 +5,7 @@ import '../../utils.dart';
 class RemoteAssetFactory {
  const RemoteAssetFactory();

-  static RemoteAsset create({
-    String? id,
-    String? name,
-    String? ownerId,
-    bool isFavorite = false,
-    AssetVisibility visibility = AssetVisibility.timeline,
-    String? stackId,
-  }) {
+  static RemoteAsset create({String? id, String? name, String? ownerId, bool isFavorite = false}) {
    id = TestUtils.uuid(id);

    return RemoteAsset(
@@ -24,8 +17,6 @@ class RemoteAssetFactory {
      createdAt: TestUtils.yesterday(),
      updatedAt: TestUtils.now(),
      isFavorite: isFavorite,
-      visibility: visibility,
-      stackId: stackId,
      isEdited: false,
    );
  }
@@ -1,200 +0,0 @@
-import 'package:flutter_test/flutter_test.dart';
-import 'package:immich_mobile/domain/models/asset/base_asset.model.dart';
-import 'package:immich_mobile/utils/asset_filter.dart';
-
-import '../factories/local_asset_factory.dart';
-import '../factories/remote_asset_factory.dart';
-
-void main() {
-  group('AssetFilter', () {
-    group('type promotion', () {
-      test('a bare filter retains every BaseAsset', () {
-        final remoteAsset = RemoteAssetFactory.create();
-        final localAsset = LocalAssetFactory.create();
-
-        final AssetFilter<BaseAsset> filter = AssetFilter(<BaseAsset>[remoteAsset, localAsset]);
-
-        expect(filter.toList(), [remoteAsset, localAsset]);
-      });
-
-      test('remote keeps only remote assets', () {
-        final remoteAsset = RemoteAssetFactory.create();
-        final localAsset = LocalAssetFactory.create();
-
-        final AssetFilter<RemoteAsset> remoteOnly = AssetFilter(<BaseAsset>[remoteAsset, localAsset]).remote();
-
-        expect(remoteOnly.toList(), [remoteAsset]);
-      });
-
-      test('local keeps only local assets', () {
-        final remoteAsset = RemoteAssetFactory.create();
-        final localAsset = LocalAssetFactory.create();
-
-        final AssetFilter<LocalAsset> localOnly = AssetFilter(<BaseAsset>[remoteAsset, localAsset]).local();
-
-        expect(localOnly.toList(), [localAsset]);
-      });
-
-      test('owned promotes to RemoteAsset and drops local assets', () {
-        final remoteAsset = RemoteAssetFactory.create();
-        final localAsset = LocalAssetFactory.create();
-
-        final AssetFilter<RemoteAsset> remoteOnly = AssetFilter(<BaseAsset>[
-          remoteAsset,
-          localAsset,
-        ]).owned(remoteAsset.ownerId);
-
-        expect(remoteOnly.toList(), [remoteAsset]);
-      });
-
-      test('backedUp promotes to LocalAsset and drops remote assets', () {
-        final syncedPhoto = LocalAssetFactory.create().copyWith(remoteId: 'remote');
-        final offlinePhoto = LocalAssetFactory.create();
-        final remotePhoto = RemoteAssetFactory.create();
-
-        final AssetFilter<LocalAsset> syncedPhotos = AssetFilter(<BaseAsset>[
-          syncedPhoto,
-          offlinePhoto,
-          remotePhoto,
-        ]).backedUp();
-
-        expect(syncedPhotos.toList(), [syncedPhoto]);
-      });
-    });
-
-    group('named filters', () {
-      test('owned keeps only assets of the given owner', () {
-        final asset1 = RemoteAssetFactory.create();
-        final asset2 = RemoteAssetFactory.create();
-
-        final alexPhotos = AssetFilter([asset1, asset2]).owned(asset1.ownerId);
-
-        expect(alexPhotos.toList(), [asset1]);
-      });
-
-      test('favorites keeps only favorite assets', () {
-        final asset1 = RemoteAssetFactory.create(isFavorite: true);
-        final asset2 = RemoteAssetFactory.create(ownerId: asset1.ownerId);
-
-        final favorites = AssetFilter([asset1, asset2]).favorites();
-
-        expect(favorites.toList(), [asset1]);
-      });
-
-      test('type keeps only assets of the given type', () {
-        final image = RemoteAssetFactory.create();
-        final video = RemoteAssetFactory.create(ownerId: image.ownerId).copyWith(type: .video);
-
-        final videos = AssetFilter([image, video]).type(.video);
-
-        expect(videos.toList(), [video]);
-      });
-
-      test('visibility keeps only assets with the given visibility', () {
-        final locked = RemoteAssetFactory.create(visibility: AssetVisibility.locked);
-        final onTimeline = RemoteAssetFactory.create(ownerId: locked.ownerId);
-
-        final lockedPhotos = AssetFilter([locked, onTimeline]).visibility(.locked);
-
-        expect(lockedPhotos.toList(), [locked]);
-      });
-
-      test('archived keeps only archived assets', () {
-        final archived = RemoteAssetFactory.create(visibility: AssetVisibility.archive);
-        final onTimeline = RemoteAssetFactory.create(ownerId: archived.ownerId);
-
-        final archivedPhotos = AssetFilter([archived, onTimeline]).archived();
-
-        expect(archivedPhotos.toList(), [archived]);
-      });
-
-      test('stacked keeps only assets belonging to a stack', () {
-        final stacked = RemoteAssetFactory.create(stackId: 'stack');
-        final loose = RemoteAssetFactory.create(ownerId: stacked.ownerId);
-
-        final stackedPhotos = AssetFilter([stacked, loose]).stacked();
-
-        expect(stackedPhotos.toList(), [stacked]);
-      });
-    });
-
-    group('inversion', () {
-      test('notArchived keeps every non-archived visibility', () {
-        final archived = RemoteAssetFactory.create(visibility: AssetVisibility.archive);
-        final onTimeline = RemoteAssetFactory.create(ownerId: archived.ownerId, visibility: AssetVisibility.timeline);
-        final hidden = RemoteAssetFactory.create(ownerId: archived.ownerId, visibility: AssetVisibility.hidden);
-        final locked = RemoteAssetFactory.create(ownerId: archived.ownerId, visibility: AssetVisibility.locked);
-
-        final visiblePhotos = AssetFilter([archived, onTimeline, hidden, locked]).notArchived();
-
-        expect(visiblePhotos.toSet(), {onTimeline, hidden, locked});
-      });
-
-      test('notVisibility keeps every asset not at the target visibility', () {
-        final archived = RemoteAssetFactory.create(visibility: AssetVisibility.archive);
-        final onTimeline = RemoteAssetFactory.create(ownerId: archived.ownerId, visibility: AssetVisibility.timeline);
-        final locked = RemoteAssetFactory.create(ownerId: archived.ownerId, visibility: AssetVisibility.locked);
-
-        final toArchive = AssetFilter([archived, onTimeline, locked]).notVisibility(.archive);
-
-        expect(toArchive.toSet(), {onTimeline, locked});
-      });
-
-      test('notStacked keeps only assets without a stack', () {
-        final stacked = RemoteAssetFactory.create(stackId: 'stack');
-        final loose = RemoteAssetFactory.create(ownerId: stacked.ownerId);
-
-        final loosePhotos = AssetFilter([stacked, loose]).notStacked();
-
-        expect(loosePhotos.toList(), [loose]);
-      });
-
-      test('whereNot inverts an arbitrary predicate', () {
-        final favorite = RemoteAssetFactory.create(isFavorite: true);
-        final regular = RemoteAssetFactory.create(ownerId: favorite.ownerId);
-
-        final nonFavorites = AssetFilter([favorite, regular]).whereNot((asset) => asset.isFavorite);
-
-        expect(nonFavorites.toList(), [regular]);
-      });
-
-      test('notFavorites keeps only non-favorite assets', () {
-        final favorite = RemoteAssetFactory.create(isFavorite: true);
-        final regular = RemoteAssetFactory.create(ownerId: favorite.ownerId);
-
-        final nonFavorites = AssetFilter([favorite, regular]).notFavorites();
-
-        expect(nonFavorites.toList(), [regular]);
-      });
-    });
-
-    group('chaining', () {
-      test('combines predicates across owner, visibility and stack', () {
-        final asset = RemoteAssetFactory.create();
-        final wrongOwner = RemoteAssetFactory.create();
-        final archived = RemoteAssetFactory.create(ownerId: asset.ownerId, visibility: AssetVisibility.archive);
-        final stacked = RemoteAssetFactory.create(ownerId: asset.ownerId, stackId: 'stack-1');
-        final localPhoto = LocalAssetFactory.create();
-
-        final result = AssetFilter(<BaseAsset>[
-          asset,
-          wrongOwner,
-          archived,
-          stacked,
-          localPhoto,
-        ]).owned(asset.ownerId).notArchived().notStacked();
-
-        expect(result.toList(), [asset]);
-      });
-
-      test('a base filter after a promotion retains the promoted type', () {
-        final favorite = RemoteAssetFactory.create(isFavorite: true);
-        final regular = RemoteAssetFactory.create(ownerId: favorite.ownerId);
-
-        final AssetFilter<RemoteAsset> result = AssetFilter([favorite, regular]).owned(favorite.ownerId).favorites();
-
-        expect(result.toList(), [favorite]);
-      });
-    });
-  });
-}
@@ -7,18 +7,17 @@ from
  "asset"
  inner join "asset_exif" on "asset"."id" = "asset_exif"."assetId"
 where
-  "asset"."visibility" = $1
-  and "asset"."fileCreatedAt" >= $2
-  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  "asset"."fileCreatedAt" >= $1
+  and "asset_exif"."lensModel" = $2
+  and "asset"."ownerId" = any ($3::uuid[])
+  and "asset"."isFavorite" = $4
  and "asset"."deletedAt" is null
 order by
  "asset"."fileCreatedAt" desc
 limit
-  $6
+  $5
 offset
-  $7
+  $6

 -- SearchRepository.searchStatistics
 select
@@ -27,11 +26,10 @@ from
  "asset"
  inner join "asset_exif" on "asset"."id" = "asset_exif"."assetId"
 where
-  "asset"."visibility" = $1
-  and "asset"."fileCreatedAt" >= $2
-  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  "asset"."fileCreatedAt" >= $1
+  and "asset_exif"."lensModel" = $2
+  and "asset"."ownerId" = any ($3::uuid[])
+  and "asset"."isFavorite" = $4
  and "asset"."deletedAt" is null

 -- SearchRepository.searchRandom
@@ -41,16 +39,15 @@ from
  "asset"
  inner join "asset_exif" on "asset"."id" = "asset_exif"."assetId"
 where
-  "asset"."visibility" = $1
-  and "asset"."fileCreatedAt" >= $2
-  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  "asset"."fileCreatedAt" >= $1
+  and "asset_exif"."lensModel" = $2
+  and "asset"."ownerId" = any ($3::uuid[])
+  and "asset"."isFavorite" = $4
  and "asset"."deletedAt" is null
 order by
  random()
 limit
-  $6
+  $5

 -- SearchRepository.searchLargeAssets
 select
@@ -60,17 +57,16 @@ from
  "asset"
  inner join "asset_exif" on "asset"."id" = "asset_exif"."assetId"
 where
-  "asset"."visibility" = $1
-  and "asset"."fileCreatedAt" >= $2
-  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  "asset"."fileCreatedAt" >= $1
+  and "asset_exif"."lensModel" = $2
+  and "asset"."ownerId" = any ($3::uuid[])
+  and "asset"."isFavorite" = $4
  and "asset"."deletedAt" is null
-  and "asset_exif"."fileSizeInByte" > $6
+  and "asset_exif"."fileSizeInByte" > $5
 order by
  "asset_exif"."fileSizeInByte" desc
 limit
-  $7
+  $6

 -- SearchRepository.searchSmart
 begin
@@ -83,18 +79,17 @@ from
  inner join "asset_exif" on "asset"."id" = "asset_exif"."assetId"
  inner join "smart_search" on "asset"."id" = "smart_search"."assetId"
 where
-  "asset"."visibility" = $1
-  and "asset"."fileCreatedAt" >= $2
-  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  "asset"."fileCreatedAt" >= $1
+  and "asset_exif"."lensModel" = $2
+  and "asset"."ownerId" = any ($3::uuid[])
+  and "asset"."isFavorite" = $4
  and "asset"."deletedAt" is null
 order by
-  smart_search.embedding <=> $6
+  smart_search.embedding <=> $5
 limit
-  $7
+  $6
 offset
-  $8
+  $7
 commit

 -- SearchRepository.getEmbedding
@@ -117,7 +117,8 @@ type BaseAssetSearchOptions = SearchDateOptions &
  SearchAlbumOptions &
  SearchOcrOptions;

-export type AssetSearchOptions = BaseAssetSearchOptions & SearchRelationOptions;
+export type AssetSearchOptions = Omit<BaseAssetSearchOptions, 'visibility'> &
+  SearchRelationOptions & { visibility?: AssetVisibility | 'not-locked' };

 export type AssetSearchBuilderOptions = Omit<AssetSearchOptions, 'orderDirection'>;

@@ -125,11 +126,11 @@ export type SmartSearchOptions = SearchDateOptions &
  SearchEmbeddingOptions &
  SearchExifOptions &
  SearchOneToOneRelationOptions &
-  SearchStatusOptions &
+  Omit<SearchStatusOptions, 'visibility'> &
  SearchUserIdOptions &
  SearchPeopleOptions &
  SearchTagOptions &
-  SearchOcrOptions;
+  SearchOcrOptions & { visibility?: AssetVisibility | 'not-locked' };

 export type OcrSearchOptions = SearchDateOptions & SearchOcrOptions;

@@ -250,7 +250,7 @@ describe(SearchService.name, () => {
      );
      expect(mocks.search.searchSmart).toHaveBeenCalledWith(
        { page: 1, size: 100 },
-        { query: 'test', embedding: '[1, 2, 3]', userIds: [authStub.user1.user.id] },
+        { query: 'test', embedding: '[1, 2, 3]', userIds: [authStub.user1.user.id], visibility: 'not-locked' },
      );
    });

@@ -73,14 +73,22 @@ export class SearchService extends BaseService {
      checksum = Buffer.from(dto.checksum, encoding);
    }

+    let userIds: string[] | undefined;
+
+    if (dto.albumIds && dto.albumIds.length > 0) {
+      await this.requireAccess({ auth, ids: dto.albumIds, permission: Permission.AlbumRead });
+    } else {
+      userIds = await this.getUserIdsToSearch(auth, dto.visibility);
+    }
+
    const page = dto.page ?? 1;
    const size = dto.size || 250;
-    const userIds = await this.getUserIdsToSearch(auth, dto.visibility);
    const { hasNextPage, items } = await this.searchRepository.searchMetadata(
      { page, size },
      {
        ...dto,
        checksum,
+        visibility: dto.visibility ?? (auth.session?.hasElevatedPermission ? undefined : 'not-locked'),
        userIds,
        orderDirection: dto.order ?? AssetOrder.Desc,
      },
@@ -91,9 +99,13 @@ export class SearchService extends BaseService {

  async searchStatistics(auth: AuthDto, dto: StatisticsSearchDto): Promise<SearchStatisticsResponseDto> {
    const userIds = await this.getUserIdsToSearch(auth);
+    if (dto.visibility === AssetVisibility.Locked) {
+      requireElevatedPermission(auth);
+    }

    return await this.searchRepository.searchStatistics({
      ...dto,
+      visibility: dto.visibility ?? (auth.session?.hasElevatedPermission ? undefined : 'not-locked'),
      userIds,
    });
  }
@@ -114,7 +126,11 @@ export class SearchService extends BaseService {
    }

    const userIds = await this.getUserIdsToSearch(auth, dto.visibility);
-    const items = await this.searchRepository.searchLargeAssets(dto.size || 250, { ...dto, userIds });
+    const items = await this.searchRepository.searchLargeAssets(dto.size || 250, {
+      ...dto,
+      visibility: dto.visibility ?? (auth.session?.hasElevatedPermission ? undefined : 'not-locked'),
+      userIds,
+    });
    return items.map((item) => mapAsset(item, { auth }));
  }

@@ -155,7 +171,12 @@ export class SearchService extends BaseService {
    const size = dto.size || 100;
    const { hasNextPage, items } = await this.searchRepository.searchSmart(
      { page, size },
-      { ...dto, userIds: await userIds, embedding },
+      {
+        ...dto,
+        userIds: await userIds,
+        embedding,
+        visibility: dto.visibility ?? (auth.session?.hasElevatedPermission ? undefined : 'not-locked'),
+      },
    );

    return this.mapResponse(items, hasNextPage ? (page + 1).toString() : null, { auth });
@@ -373,12 +373,15 @@ const joinDeduplicationPlugin = new DeduplicateJoinsPlugin();

 export function searchAssetBuilder(kysely: Kysely<DB>, options: AssetSearchBuilderOptions) {
  options.withDeleted ||= !!(options.trashedAfter || options.trashedBefore || options.isOffline);
-  const visibility = options.visibility == null ? AssetVisibility.Timeline : options.visibility;

  return kysely
    .withPlugin(joinDeduplicationPlugin)
    .selectFrom('asset')
-    .where('asset.visibility', '=', visibility)
+    .$if(!!options.visibility, (qb) =>
+      options.visibility === 'not-locked'
+        ? qb.where('asset.visibility', '!=', AssetVisibility.Locked)
+        : qb.where('asset.visibility', '=', options.visibility!),
+    )
    .$if(!!options.albumIds && options.albumIds.length > 0, (qb) => inAlbums(qb, options.albumIds!))
    .$if(!!options.tagIds && options.tagIds.length > 0, (qb) => hasTags(qb, options.tagIds!))
    .$if(options.tagIds === null, (qb) =>
@@ -1,5 +1,6 @@
 import { Kysely } from 'kysely';
 import { SearchSuggestionType } from 'src/dtos/search.dto';
+import { AlbumUserRole, AssetVisibility } from 'src/enum';
 import { AccessRepository } from 'src/repositories/access.repository';
 import { AssetRepository } from 'src/repositories/asset.repository';
 import { DatabaseRepository } from 'src/repositories/database.repository';
@@ -108,6 +109,71 @@ describe(SearchService.name, () => {
      expect(response.assets.items.length).toBe(1);
      expect(response.assets.items[0].id).toBe(unstackedAsset.id);
    });
+
+    describe('visibility', () => {
+      it('should filter out locked assets in a default session', async () => {
+        const { sut, ctx } = setup();
+        const { user } = await ctx.newUser();
+
+        await ctx.newAsset({ ownerId: user.id, visibility: AssetVisibility.Locked });
+
+        const auth = factory.auth({ user: { id: user.id } });
+
+        const response = await sut.searchMetadata(auth, { withStacked: false });
+
+        expect(response.assets.items.length).toBe(0);
+      });
+
+      it('should return locked assets in an elevated session', async () => {
+        const { sut, ctx } = setup();
+        const { user } = await ctx.newUser();
+
+        await ctx.newAsset({ ownerId: user.id, visibility: AssetVisibility.Locked });
+
+        const auth = factory.auth({ user: { id: user.id }, session: { hasElevatedPermission: true } });
+
+        const response = await sut.searchMetadata(auth, { withStacked: false });
+
+        expect(response.assets.items.length).toBe(1);
+      });
+    });
+  });
+
+  describe('albumIds option', () => {
+    it('should return assets from shared album', async () => {
+      const { sut, ctx } = setup();
+      const { user } = await ctx.newUser();
+      const { user: otherUser } = await ctx.newUser();
+
+      const { asset } = await ctx.newAsset({ ownerId: otherUser.id });
+      const { album } = await ctx.newAlbum({ ownerId: otherUser.id });
+      await ctx.newAlbumAsset({ albumId: album.id, assetId: asset.id });
+      await ctx.newAlbumUser({ albumId: album.id, userId: user.id, role: AlbumUserRole.Editor });
+
+      const auth = factory.auth({ user: { id: user.id } });
+
+      const response = await sut.searchMetadata(auth, { albumIds: [album.id] });
+
+      expect(response.assets.items.length).toBe(1);
+    });
+
+    it('should not return assets for album, a user is not in, when partner sharing is enabled', async () => {
+      const { sut, ctx } = setup();
+      const { user } = await ctx.newUser();
+      const { user: otherUser } = await ctx.newUser();
+
+      await ctx.newPartner({ sharedById: otherUser.id, sharedWithId: user.id });
+
+      const { asset } = await ctx.newAsset({ ownerId: otherUser.id });
+      const { album } = await ctx.newAlbum({ ownerId: otherUser.id });
+      await ctx.newAlbumAsset({ albumId: album.id, assetId: asset.id });
+
+      const auth = factory.auth({ user: { id: user.id } });
+
+      await expect(sut.searchMetadata(auth, { albumIds: [album.id] })).rejects.toThrow(
+        'Not found or no album.read access',
+      );
+    });
  });

  describe('getSearchSuggestions', () => {
@@ -27,7 +27,7 @@ const authFactory = ({
  user,
 }: {
  apiKey?: Partial<AuthApiKey>;
-  session?: { id: string };
+  session?: { id?: string; hasElevatedPermission?: boolean };
  user?: Omit<
    Partial<UserAdmin>,
    'createdAt' | 'updatedAt' | 'deletedAt' | 'fileCreatedAt' | 'fileModifiedAt' | 'localDateTime' | 'profileChangedAt'
@@ -46,8 +46,8 @@ const authFactory = ({

  if (session) {
    auth.session = {
-      id: session.id,
-      hasElevatedPermission: false,
+      id: session.id ?? newUuid(),
+      hasElevatedPermission: session.hasElevatedPermission ?? false,
    };
  }
Author	SHA1	Message	Date
renovate[bot]	8f734f7377	chore(deps): update github-actions	2026-06-30 16:18:39 +00:00
Daniel Dietzler	deeb042a9e	feat: honor album access permissions in search endpoints (#29352 )	2026-06-29 22:27:22 +02:00
Daniel Dietzler	b4cc406a3f	fix!: search endpoints visibility can be omitted (#29385 )	2026-06-29 22:00:02 +02:00