From 8a7b0f66a4bf69d1b79c9a529f73448a5c5fc22e Mon Sep 17 00:00:00 2001 From: Michel Heusschen <59014050+michelheusschen@users.noreply.github.com> Date: Sat, 25 May 2024 12:53:57 +0200 Subject: [PATCH] fix(server): partner can view archived assets (#9750) * fix(server): partner can view archived assets * update sql queries --- e2e/src/api/specs/asset.e2e-spec.ts | 31 ++++++++++++++++++++ e2e/src/utils.ts | 3 ++ server/src/queries/access.repository.sql | 1 + server/src/repositories/access.repository.ts | 1 + 4 files changed, 36 insertions(+) diff --git a/e2e/src/api/specs/asset.e2e-spec.ts b/e2e/src/api/specs/asset.e2e-spec.ts index c110440132..98dca464bc 100644 --- a/e2e/src/api/specs/asset.e2e-spec.ts +++ b/e2e/src/api/specs/asset.e2e-spec.ts @@ -86,6 +86,8 @@ describe('/asset', () => { utils.userSetup(admin.accessToken, createUserDto.create('stack')), ]); + await utils.createPartner(user1.accessToken, user2.userId); + // asset location locationAsset = await utils.createAsset(admin.accessToken, { assetData: { @@ -233,6 +235,35 @@ describe('/asset', () => { expect(data.status).toBe(200); expect(data.body).toMatchObject({ people: [] }); }); + + describe('partner assets', () => { + it('should get the asset info', async () => { + const { status, body } = await request(app) + .get(`/asset/${user1Assets[0].id}`) + .set('Authorization', `Bearer ${user2.accessToken}`); + expect(status).toBe(200); + expect(body).toMatchObject({ id: user1Assets[0].id }); + }); + + it('disallows viewing archived assets', async () => { + const asset = await utils.createAsset(user1.accessToken, { isArchived: true }); + + const { status } = await request(app) + .get(`/asset/${asset.id}`) + .set('Authorization', `Bearer ${user2.accessToken}`); + expect(status).toBe(400); + }); + + it('disallows viewing trashed assets', async () => { + const asset = await utils.createAsset(user1.accessToken); + await utils.deleteAssets(user1.accessToken, [asset.id]); + + const { status } = await request(app) + .get(`/asset/${asset.id}`) + .set('Authorization', `Bearer ${user2.accessToken}`); + expect(status).toBe(400); + }); + }); }); describe('GET /asset/statistics', () => { diff --git a/e2e/src/utils.ts b/e2e/src/utils.ts index be4faab707..1454135c12 100644 --- a/e2e/src/utils.ts +++ b/e2e/src/utils.ts @@ -13,6 +13,7 @@ import { createAlbum, createApiKey, createLibrary, + createPartner, createPerson, createSharedLink, createUser, @@ -385,6 +386,8 @@ export const utils = { validateLibrary: (accessToken: string, id: string, dto: ValidateLibraryDto) => validate({ id, validateLibraryDto: dto }, { headers: asBearerAuth(accessToken) }), + createPartner: (accessToken: string, id: string) => createPartner({ id }, { headers: asBearerAuth(accessToken) }), + setAuthCookies: async (context: BrowserContext, accessToken: string) => await context.addCookies([ { diff --git a/server/src/queries/access.repository.sql b/server/src/queries/access.repository.sql index b08638707e..ffe4b6413f 100644 --- a/server/src/queries/access.repository.sql +++ b/server/src/queries/access.repository.sql @@ -153,6 +153,7 @@ FROM AND ("asset"."deletedAt" IS NULL) WHERE "partner"."sharedWithId" = $1 + AND "asset"."isArchived" = false AND "asset"."id" IN ($2) -- AccessRepository.asset.checkSharedLinkAccess diff --git a/server/src/repositories/access.repository.ts b/server/src/repositories/access.repository.ts index 17746b1556..9dd294cc21 100644 --- a/server/src/repositories/access.repository.ts +++ b/server/src/repositories/access.repository.ts @@ -240,6 +240,7 @@ class AssetAccess implements IAssetAccess { .innerJoin('sharedBy.assets', 'asset') .select('asset.id', 'assetId') .where('partner.sharedWithId = :userId', { userId }) + .andWhere('asset.isArchived = false') .andWhere('asset.id IN (:...assetIds)', { assetIds: [...assetIds] }) .getRawMany() .then((rows) => new Set(rows.map((row) => row.assetId)));