fix(server,web): correctly remove metadata from shared links (#4464)

* wip: strip metadata * fix: authenticate time buckets * hide detail panel * fix tests * fix lint * add e2e tests * chore: open api * fix web compilation error * feat: test with asset with gps position * fix: only import fs.promises.cp * fix: cleanup mapasset * fix: format --------- Co-authored-by: Alex Tran <alex.tran1502@gmail.com>
2023-10-14 03:46:30 +02:00
parent 4a9f58bf9b
commit dadcf49eca
39 changed files with 332 additions and 150 deletions
--- a/server/src/immich/api-v1/asset/asset.controller.ts
+++ b/server/src/immich/api-v1/asset/asset.controller.ts
@@ -186,7 +186,7 @@ export class AssetController {
  @SharedLinkRoute()
  @Get('/assetById/:id')
  getAssetById(@AuthUser() authUser: AuthUserDto, @Param() { id }: UUIDParamDto): Promise<AssetResponseDto> {
-    return this.assetService.getAssetById(authUser, id);
+    return this.assetService.getAssetById(authUser, id) as Promise<AssetResponseDto>;
  }

  /**
--- a/server/src/immich/api-v1/asset/asset.service.ts
+++ b/server/src/immich/api-v1/asset/asset.service.ts
@@ -10,9 +10,9 @@ import {
  IStorageRepository,
  JobName,
  mapAsset,
-  mapAssetWithoutExif,
  mimeTypes,
  Permission,
+  SanitizedAssetResponseDto,
  UploadFile,
 } from '@app/domain';
 import { ASSET_CHECKSUM_CONSTRAINT, AssetEntity, AssetType, LibraryType } from '@app/infra/entities';
@@ -187,22 +187,29 @@ export class AssetService {
    return assets.map((asset) => mapAsset(asset));
  }

-  public async getAssetById(authUser: AuthUserDto, assetId: string): Promise<AssetResponseDto> {
+  public async getAssetById(
+    authUser: AuthUserDto,
+    assetId: string,
+  ): Promise<AssetResponseDto | SanitizedAssetResponseDto> {
    await this.access.requirePermission(authUser, Permission.ASSET_READ, assetId);

-    const allowExif = this.getExifPermission(authUser);
+    const includeMetadata = this.getExifPermission(authUser);
    const asset = await this._assetRepository.getById(assetId);
-    const data = allowExif ? mapAsset(asset) : mapAssetWithoutExif(asset);
+    if (includeMetadata) {
+      const data = mapAsset(asset);

-    if (data.ownerId !== authUser.id) {
-      data.people = [];
+      if (data.ownerId !== authUser.id) {
+        data.people = [];
+      }
+
+      if (authUser.isPublicUser) {
+        delete data.owner;
+      }
+
+      return data;
+    } else {
+      return mapAsset(asset, true);
    }
-
-    if (authUser.isPublicUser) {
-      delete data.owner;
-    }
-
-    return data;
  }

  async serveThumbnail(authUser: AuthUserDto, assetId: string, query: GetAssetThumbnailDto, res: Res) {
@@ -374,7 +381,7 @@ export class AssetService {
  }

  getExifPermission(authUser: AuthUserDto) {
-    return !authUser.isPublicUser || authUser.isShowExif;
+    return !authUser.isPublicUser || authUser.isShowMetadata;
  }

  private getThumbnailPath(asset: AssetEntity, format: GetAssetThumbnailFormatEnum) {
--- a/server/src/immich/controllers/asset.controller.ts
+++ b/server/src/immich/controllers/asset.controller.ts
@@ -98,7 +98,7 @@ export class AssetController {
  @Authenticated({ isShared: true })
  @Get('time-bucket')
  getByTimeBucket(@AuthUser() authUser: AuthUserDto, @Query() dto: TimeBucketAssetDto): Promise<AssetResponseDto[]> {
-    return this.service.getByTimeBucket(authUser, dto);
+    return this.service.getByTimeBucket(authUser, dto) as Promise<AssetResponseDto[]>;
  }

  @Post('jobs')