fix: add scoped API permissions to map endpoints (#25423)

2026-03-25 09:15:56 +00:00 · 2026-01-22 13:43:29 +01:00 · 2026-01-22 13:43:29 +01:00 · c320146538
commit c320146538
parent 3304c8efd8
5 changed files with 12 additions and 3 deletions
--- a/mobile/openapi/lib/model/permission.dart
+++ b/mobile/openapi/lib/model/permission.dart
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@ -6305,6 +6305,7 @@
            "state": "Stable"
          }
        ],
+        "x-immich-permission": "map.read",
        "x-immich-state": "Stable"
      }
    },
@ -6376,6 +6377,7 @@
            "state": "Stable"
          }
        ],
+        "x-immich-permission": "map.search",
        "x-immich-state": "Stable"
      }
    },
@ -18966,6 +18968,8 @@
          "timeline.read",
          "timeline.download",
          "maintenance",
+          "map.read",
+          "map.search",
          "memory.create",
          "memory.read",
          "memory.update",
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@ -5534,6 +5534,8 @@ export enum Permission {
    TimelineRead = "timeline.read",
    TimelineDownload = "timeline.download",
    Maintenance = "maintenance",
+    MapRead = "map.read",
+    MapSearch = "map.search",
    MemoryCreate = "memory.create",
    MemoryRead = "memory.read",
    MemoryUpdate = "memory.update",
--- a/server/src/controllers/map.controller.ts
+++ b/server/src/controllers/map.controller.ts
@ -8,7 +8,7 @@ import {
  MapReverseGeocodeDto,
  MapReverseGeocodeResponseDto,
 } from 'src/dtos/map.dto';
-import { ApiTag } from 'src/enum';
+import { ApiTag, Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { MapService } from 'src/services/map.service';

@ -18,7 +18,7 @@ export class MapController {
  constructor(private service: MapService) {}

  @Get('markers')
-  @Authenticated()
+  @Authenticated({ permission: Permission.MapRead })
  @Endpoint({
    summary: 'Retrieve map markers',
    description: 'Retrieve a list of latitude and longitude coordinates for every asset with location data.',
@ -28,8 +28,8 @@ export class MapController {
    return this.service.getMapMarkers(auth, options);
  }

-  @Authenticated()
  @Get('reverse-geocode')
+  @Authenticated({ permission: Permission.MapSearch })
  @HttpCode(HttpStatus.OK)
  @Endpoint({
    summary: 'Reverse geocode coordinates',
--- a/server/src/enum.ts
+++ b/server/src/enum.ts
@ -160,6 +160,9 @@ export enum Permission {

  Maintenance = 'maintenance',

+  MapRead = 'map.read',
+  MapSearch = 'map.search',
+
  MemoryCreate = 'memory.create',
  MemoryRead = 'memory.read',
  MemoryUpdate = 'memory.update',