From c320146538cfc28f4ccaa7359ca1b6600e51400a Mon Sep 17 00:00:00 2001
From: Mees Frensel <33722705+meesfrensel@users.noreply.github.com>
Date: Thu, 22 Jan 2026 13:43:29 +0100
Subject: [PATCH] fix: add scoped API permissions to map endpoints (#25423)

---
 mobile/openapi/lib/model/permission.dart    | Bin 28154 -> 28436 bytes
 open-api/immich-openapi-specs.json          |   4 ++++
 open-api/typescript-sdk/src/fetch-client.ts |   2 ++
 server/src/controllers/map.controller.ts    |   6 +++---
 server/src/enum.ts                          |   3 +++
 5 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/mobile/openapi/lib/model/permission.dart b/mobile/openapi/lib/model/permission.dart
index d5b9bf50867dbee4390459facc2386ec38cad594..37aecc8b9c8480933b92da26a15af83162dcbcda 100644
GIT binary patch
delta 152
zcmex$n{moL#tr`jnGy>oH}c3Z=K^U%772bJ9gtd-nV%Aznpl*aF*#63m@~0JuNcB>
z<PhHcS8%z4B1~0KYGR5GmjV!=Y1};5C`cY;c%qXO*zgHC(p*3_aFc?>_+W-WtlE4x
HP*w&2l0!EZ

delta 40
wcmbPokMY-S#tr`jC)){gPfll&m@F&IzIlOAjlyOZV{iG%{lRRT`GZ+y07;V$8~^|S

diff --git a/open-api/immich-openapi-specs.json b/open-api/immich-openapi-specs.json
index 7f09f7b33..cb0c8f8a6 100644
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@@ -6305,6 +6305,7 @@
             "state": "Stable"
           }
         ],
+        "x-immich-permission": "map.read",
         "x-immich-state": "Stable"
       }
     },
@@ -6376,6 +6377,7 @@
             "state": "Stable"
           }
         ],
+        "x-immich-permission": "map.search",
         "x-immich-state": "Stable"
       }
     },
@@ -18966,6 +18968,8 @@
           "timeline.read",
           "timeline.download",
           "maintenance",
+          "map.read",
+          "map.search",
           "memory.create",
           "memory.read",
           "memory.update",
diff --git a/open-api/typescript-sdk/src/fetch-client.ts b/open-api/typescript-sdk/src/fetch-client.ts
index 97745cc5a..09a086053 100644
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@@ -5534,6 +5534,8 @@ export enum Permission {
     TimelineRead = "timeline.read",
     TimelineDownload = "timeline.download",
     Maintenance = "maintenance",
+    MapRead = "map.read",
+    MapSearch = "map.search",
     MemoryCreate = "memory.create",
     MemoryRead = "memory.read",
     MemoryUpdate = "memory.update",
diff --git a/server/src/controllers/map.controller.ts b/server/src/controllers/map.controller.ts
index dbd108256..ae3b56af2 100644
--- a/server/src/controllers/map.controller.ts
+++ b/server/src/controllers/map.controller.ts
@@ -8,7 +8,7 @@ import {
   MapReverseGeocodeDto,
   MapReverseGeocodeResponseDto,
 } from 'src/dtos/map.dto';
-import { ApiTag } from 'src/enum';
+import { ApiTag, Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { MapService } from 'src/services/map.service';
 
@@ -18,7 +18,7 @@ export class MapController {
   constructor(private service: MapService) {}
 
   @Get('markers')
-  @Authenticated()
+  @Authenticated({ permission: Permission.MapRead })
   @Endpoint({
     summary: 'Retrieve map markers',
     description: 'Retrieve a list of latitude and longitude coordinates for every asset with location data.',
@@ -28,8 +28,8 @@ export class MapController {
     return this.service.getMapMarkers(auth, options);
   }
 
-  @Authenticated()
   @Get('reverse-geocode')
+  @Authenticated({ permission: Permission.MapSearch })
   @HttpCode(HttpStatus.OK)
   @Endpoint({
     summary: 'Reverse geocode coordinates',
diff --git a/server/src/enum.ts b/server/src/enum.ts
index 8a7e1dc78..5a0f6bdbe 100644
--- a/server/src/enum.ts
+++ b/server/src/enum.ts
@@ -160,6 +160,9 @@ export enum Permission {
 
   Maintenance = 'maintenance',
 
+  MapRead = 'map.read',
+  MapSearch = 'map.search',
+
   MemoryCreate = 'memory.create',
   MemoryRead = 'memory.read',
   MemoryUpdate = 'memory.update',