fix(server): scoped permissions for more endpoints (#25452)

2026-03-25 09:15:56 +00:00 · 2026-01-23 15:03:57 +01:00 · 2026-01-23 15:03:57 +01:00 · 20dca39143
commit 20dca39143
parent 84679fb2b2
7 changed files with 13 additions and 5 deletions
--- a/mobile/openapi/lib/model/permission.dart
+++ b/mobile/openapi/lib/model/permission.dart
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@ -3173,6 +3173,7 @@
            "state": "Stable"
          }
        ],
+        "x-immich-permission": "asset.upload",
        "x-immich-state": "Stable"
      }
    },
@ -3225,6 +3226,7 @@
            "state": "Stable"
          }
        ],
+        "x-immich-permission": "job.create",
        "x-immich-state": "Stable"
      }
    },
@ -14618,6 +14620,7 @@
            "state": "Stable"
          }
        ],
+        "x-immich-permission": "folder.read",
        "x-immich-state": "Stable"
      }
    },
@ -14670,6 +14673,7 @@
            "state": "Stable"
          }
        ],
+        "x-immich-permission": "folder.read",
        "x-immich-state": "Stable"
      }
    },
@ -18959,6 +18963,7 @@
          "face.read",
          "face.update",
          "face.delete",
+          "folder.read",
          "job.create",
          "job.read",
          "library.create",
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@ -5524,6 +5524,7 @@ export enum Permission {
    FaceRead = "face.read",
    FaceUpdate = "face.update",
    FaceDelete = "face.delete",
+    FolderRead = "folder.read",
    JobCreate = "job.create",
    JobRead = "job.read",
    LibraryCreate = "library.create",
--- a/server/src/controllers/asset-media.controller.ts
+++ b/server/src/controllers/asset-media.controller.ts
@ -202,7 +202,7 @@ export class AssetMediaController {
  }

  @Post('exist')
-  @Authenticated()
+  @Authenticated({ permission: Permission.AssetUpload })
  @Endpoint({
    summary: 'Check existing assets',
    description: 'Checks if multiple assets exist on the server and returns all existing - used by background backup',
--- a/server/src/controllers/asset.controller.ts
+++ b/server/src/controllers/asset.controller.ts
@ -66,7 +66,7 @@ export class AssetController {
  }

  @Post('jobs')
-  @Authenticated()
+  @Authenticated({ permission: Permission.JobCreate })
  @HttpCode(HttpStatus.NO_CONTENT)
  @Endpoint({
    summary: 'Run an asset job',
--- a/server/src/controllers/view.controller.ts
+++ b/server/src/controllers/view.controller.ts
@ -3,7 +3,7 @@ import { ApiTags } from '@nestjs/swagger';
 import { Endpoint, HistoryBuilder } from 'src/decorators';
 import { AssetResponseDto } from 'src/dtos/asset-response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { ApiTag } from 'src/enum';
+import { ApiTag, Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { ViewService } from 'src/services/view.service';

@ -13,7 +13,7 @@ export class ViewController {
  constructor(private service: ViewService) {}

  @Get('folder/unique-paths')
-  @Authenticated()
+  @Authenticated({ permission: Permission.FolderRead })
  @Endpoint({
    summary: 'Retrieve unique paths',
    description: 'Retrieve a list of unique folder paths from asset original paths.',
@ -24,7 +24,7 @@ export class ViewController {
  }

  @Get('folder')
-  @Authenticated()
+  @Authenticated({ permission: Permission.FolderRead })
  @Endpoint({
    summary: 'Retrieve assets by original path',
    description: 'Retrieve assets that are children of a specific folder.',
--- a/server/src/enum.ts
+++ b/server/src/enum.ts
@ -146,6 +146,8 @@ export enum Permission {
  FaceUpdate = 'face.update',
  FaceDelete = 'face.delete',

+  FolderRead = 'folder.read',
+
  JobCreate = 'job.create',
  JobRead = 'job.read',