From 20dca391430f8a492978d056c423305467bf3094 Mon Sep 17 00:00:00 2001
From: Mees Frensel <33722705+meesfrensel@users.noreply.github.com>
Date: Fri, 23 Jan 2026 15:03:57 +0100
Subject: [PATCH] fix(server): scoped permissions for more endpoints (#25452)

---
 mobile/openapi/lib/model/permission.dart      | Bin 28436 -> 28587 bytes
 open-api/immich-openapi-specs.json            |   5 +++++
 open-api/typescript-sdk/src/fetch-client.ts   |   1 +
 .../src/controllers/asset-media.controller.ts |   2 +-
 server/src/controllers/asset.controller.ts    |   2 +-
 server/src/controllers/view.controller.ts     |   6 +++---
 server/src/enum.ts                            |   2 ++
 7 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/mobile/openapi/lib/model/permission.dart b/mobile/openapi/lib/model/permission.dart
index 37aecc8b9c8480933b92da26a15af83162dcbcda..01bb689538d2623f5de7164c8a09b61ae0715a62 100644
GIT binary patch
delta 81
zcmbPok8$;V#tjktENS^UDU&~l%CUhMsYR0wStK?`@LyLFfbauSi!$?5f>IMxHftJf
VlZB~bbe4kX+z=+a`M$rYJOJ%}9z6g6

delta 24
gcmZ2|pK;1P#tjktn`iJ}SK8cav_W=rS%9fL0F9XnZ2$lO

diff --git a/open-api/immich-openapi-specs.json b/open-api/immich-openapi-specs.json
index 137e7045a..28b61c421 100644
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@@ -3173,6 +3173,7 @@
             "state": "Stable"
           }
         ],
+        "x-immich-permission": "asset.upload",
         "x-immich-state": "Stable"
       }
     },
@@ -3225,6 +3226,7 @@
             "state": "Stable"
           }
         ],
+        "x-immich-permission": "job.create",
         "x-immich-state": "Stable"
       }
     },
@@ -14618,6 +14620,7 @@
             "state": "Stable"
           }
         ],
+        "x-immich-permission": "folder.read",
         "x-immich-state": "Stable"
       }
     },
@@ -14670,6 +14673,7 @@
             "state": "Stable"
           }
         ],
+        "x-immich-permission": "folder.read",
         "x-immich-state": "Stable"
       }
     },
@@ -18959,6 +18963,7 @@
           "face.read",
           "face.update",
           "face.delete",
+          "folder.read",
           "job.create",
           "job.read",
           "library.create",
diff --git a/open-api/typescript-sdk/src/fetch-client.ts b/open-api/typescript-sdk/src/fetch-client.ts
index 684818d28..c18ae9f47 100644
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@@ -5524,6 +5524,7 @@ export enum Permission {
     FaceRead = "face.read",
     FaceUpdate = "face.update",
     FaceDelete = "face.delete",
+    FolderRead = "folder.read",
     JobCreate = "job.create",
     JobRead = "job.read",
     LibraryCreate = "library.create",
diff --git a/server/src/controllers/asset-media.controller.ts b/server/src/controllers/asset-media.controller.ts
index 788ee0c0e..3ef63ff7f 100644
--- a/server/src/controllers/asset-media.controller.ts
+++ b/server/src/controllers/asset-media.controller.ts
@@ -202,7 +202,7 @@ export class AssetMediaController {
   }
 
   @Post('exist')
-  @Authenticated()
+  @Authenticated({ permission: Permission.AssetUpload })
   @Endpoint({
     summary: 'Check existing assets',
     description: 'Checks if multiple assets exist on the server and returns all existing - used by background backup',
diff --git a/server/src/controllers/asset.controller.ts b/server/src/controllers/asset.controller.ts
index 988623360..8eb3a5ce4 100644
--- a/server/src/controllers/asset.controller.ts
+++ b/server/src/controllers/asset.controller.ts
@@ -66,7 +66,7 @@ export class AssetController {
   }
 
   @Post('jobs')
-  @Authenticated()
+  @Authenticated({ permission: Permission.JobCreate })
   @HttpCode(HttpStatus.NO_CONTENT)
   @Endpoint({
     summary: 'Run an asset job',
diff --git a/server/src/controllers/view.controller.ts b/server/src/controllers/view.controller.ts
index 8a977e15b..b07d83fe5 100644
--- a/server/src/controllers/view.controller.ts
+++ b/server/src/controllers/view.controller.ts
@@ -3,7 +3,7 @@ import { ApiTags } from '@nestjs/swagger';
 import { Endpoint, HistoryBuilder } from 'src/decorators';
 import { AssetResponseDto } from 'src/dtos/asset-response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { ApiTag } from 'src/enum';
+import { ApiTag, Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { ViewService } from 'src/services/view.service';
 
@@ -13,7 +13,7 @@ export class ViewController {
   constructor(private service: ViewService) {}
 
   @Get('folder/unique-paths')
-  @Authenticated()
+  @Authenticated({ permission: Permission.FolderRead })
   @Endpoint({
     summary: 'Retrieve unique paths',
     description: 'Retrieve a list of unique folder paths from asset original paths.',
@@ -24,7 +24,7 @@ export class ViewController {
   }
 
   @Get('folder')
-  @Authenticated()
+  @Authenticated({ permission: Permission.FolderRead })
   @Endpoint({
     summary: 'Retrieve assets by original path',
     description: 'Retrieve assets that are children of a specific folder.',
diff --git a/server/src/enum.ts b/server/src/enum.ts
index 5a0f6bdbe..8f509754d 100644
--- a/server/src/enum.ts
+++ b/server/src/enum.ts
@@ -146,6 +146,8 @@ export enum Permission {
   FaceUpdate = 'face.update',
   FaceDelete = 'face.delete',
 
+  FolderRead = 'folder.read',
+
   JobCreate = 'job.create',
   JobRead = 'job.read',