k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-21 22:31:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(immich): check all trips when verifying shared photo access

Browse Source 
canAccessUserPhoto was using .get() which only returned the first matching
trip, causing access to be incorrectly denied when a photo was shared across
multiple trips and the requester was a member of a non-first trip.
This commit is contained in:
jubnl
2026-04-04 00:14:11 +02:00
parent 6400c2d27d
commit ae0d48ac83
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/services/immichService.ts
+4 -4
View File
@@ -236,12 +236,12 @@ export function togglePhotoSharing(tripId: string, userId: number, assetId: stri
* the same trip that contains the photo. * the same trip that contains the photo.
*/ */
export function canAccessUserPhoto(requestingUserId: number, ownerUserId: number, assetId: string): boolean { export function canAccessUserPhoto(requestingUserId: number, ownerUserId: number, assetId: string): boolean {
const row = db.prepare(` const rows = db.prepare(`
SELECT tp.trip_id FROM trip_photos tp SELECT tp.trip_id FROM trip_photos tp
WHERE tp.immich_asset_id = ? AND tp.user_id = ? AND tp.shared = 1 WHERE tp.immich_asset_id = ? AND tp.user_id = ? AND tp.shared = 1
`).get(assetId, ownerUserId) as { trip_id: number } | undefined; `).all(assetId, ownerUserId) as { trip_id: number }[];
if (!row) return false; if (rows.length === 0) return false;
return !!canAccessTrip(String(row.trip_id), requestingUserId); return rows.some(row => !!canAccessTrip(String(row.trip_id), requestingUserId));
} }
export async function getAssetInfo( export async function getAssetInfo(