From 415550f16d0ea0e7ba3157189f43b299577d9591 Mon Sep 17 00:00:00 2001 From: Matthias Rupp Date: Sun, 11 Dec 2022 21:24:06 +0100 Subject: [PATCH] fix(server): Allow access to assets in shared album owned by current user (#1094) * fix(server): Allow access to assets in shared album owned by current user * Fix sql query Co-authored-by: Alex Tran --- .../src/api-v1/album/album-repository.ts | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/server/apps/immich/src/api-v1/album/album-repository.ts b/server/apps/immich/src/api-v1/album/album-repository.ts index 569b7b4295..9d04aec363 100644 --- a/server/apps/immich/src/api-v1/album/album-repository.ts +++ b/server/apps/immich/src/api-v1/album/album-repository.ts @@ -3,7 +3,7 @@ import { AssetAlbumEntity } from '@app/database/entities/asset-album.entity'; import { UserAlbumEntity } from '@app/database/entities/user-album.entity'; import { Injectable } from '@nestjs/common'; import { InjectRepository } from '@nestjs/typeorm'; -import { In, Repository, SelectQueryBuilder, DataSource } from 'typeorm'; +import { In, Repository, SelectQueryBuilder, DataSource, Brackets } from 'typeorm'; import { AddAssetsDto } from './dto/add-assets.dto'; import { AddUsersDto } from './dto/add-users.dto'; import { CreateAlbumDto } from './dto/create-album.dto'; @@ -286,14 +286,18 @@ export class AlbumRepository implements IAlbumRepository { } async getSharedWithUserAlbumCount(userId: string, assetId: string): Promise { - const result = await this - .userAlbumRepository - .createQueryBuilder('usa') - .select('count(aa)', 'count') - .innerJoin('asset_album', 'aa', 'aa.albumId = usa.albumId') - .where('aa.assetId = :assetId', { assetId }) - .andWhere('usa.sharedUserId = :userId', { userId }) - .getRawOne(); + const result = await this.userAlbumRepository + .createQueryBuilder('usa') + .select('count(aa)', 'count') + .innerJoin('asset_album', 'aa', 'aa.albumId = usa.albumId') + .innerJoin('albums', 'a', 'a.id = usa.albumId') + .where('aa.assetId = :assetId', { assetId }) + .andWhere( + new Brackets((qb) => { + qb.where('a.ownerId = :userId', { userId }).orWhere('usa.sharedUserId = :userId', { userId }); + }), + ) + .getRawOne(); return result.count; }