fix(server): partner can view archived assets (#9750)

* fix(server): partner can view archived assets

* update sql queries

e2e/src/api/specs/asset.e2e-spec.ts

@@ -86,6 +86,8 @@ describe('/asset', () => {
       utils.userSetup(admin.accessToken, createUserDto.create('stack')),
     ]);
 
+    await utils.createPartner(user1.accessToken, user2.userId);
+
     // asset location
     locationAsset = await utils.createAsset(admin.accessToken, {
       assetData: {
@@ -233,6 +235,35 @@ describe('/asset', () => {
       expect(data.status).toBe(200);
       expect(data.body).toMatchObject({ people: [] });
     });
+
+    describe('partner assets', () => {
+      it('should get the asset info', async () => {
+        const { status, body } = await request(app)
+          .get(`/asset/${user1Assets[0].id}`)
+          .set('Authorization', `Bearer ${user2.accessToken}`);
+        expect(status).toBe(200);
+        expect(body).toMatchObject({ id: user1Assets[0].id });
+      });
+
+      it('disallows viewing archived assets', async () => {
+        const asset = await utils.createAsset(user1.accessToken, { isArchived: true });
+
+        const { status } = await request(app)
+          .get(`/asset/${asset.id}`)
+          .set('Authorization', `Bearer ${user2.accessToken}`);
+        expect(status).toBe(400);
+      });
+
+      it('disallows viewing trashed assets', async () => {
+        const asset = await utils.createAsset(user1.accessToken);
+        await utils.deleteAssets(user1.accessToken, [asset.id]);
+
+        const { status } = await request(app)
+          .get(`/asset/${asset.id}`)
+          .set('Authorization', `Bearer ${user2.accessToken}`);
+        expect(status).toBe(400);
+      });
+    });
   });
 
   describe('GET /asset/statistics', () => {

e2e/src/utils.ts

@@ -13,6 +13,7 @@ import {
   createAlbum,
   createApiKey,
   createLibrary,
+  createPartner,
   createPerson,
   createSharedLink,
   createUser,
@@ -385,6 +386,8 @@ export const utils = {
   validateLibrary: (accessToken: string, id: string, dto: ValidateLibraryDto) =>
     validate({ id, validateLibraryDto: dto }, { headers: asBearerAuth(accessToken) }),
 
+  createPartner: (accessToken: string, id: string) => createPartner({ id }, { headers: asBearerAuth(accessToken) }),
+
   setAuthCookies: async (context: BrowserContext, accessToken: string) =>
     await context.addCookies([
       {

server/src/queries/access.repository.sql

@@ -153,6 +153,7 @@ FROM
   AND ("asset"."deletedAt" IS NULL)
 WHERE
   "partner"."sharedWithId" = $1
+  AND "asset"."isArchived" = false
   AND "asset"."id" IN ($2)
 
 -- AccessRepository.asset.checkSharedLinkAccess

server/src/repositories/access.repository.ts

@@ -240,6 +240,7 @@ class AssetAccess implements IAssetAccess {
       .innerJoin('sharedBy.assets', 'asset')
       .select('asset.id', 'assetId')
       .where('partner.sharedWithId = :userId', { userId })
+      .andWhere('asset.isArchived = false')
       .andWhere('asset.id IN (:...assetIds)', { assetIds: [...assetIds] })
       .getRawMany()
       .then((rows) => new Set(rows.map((row) => row.assetId)));