feat: readonly album sharing (#8720)

* rename albums_shared_users_users to album_permissions and add readonly column * disable synchronize on the original join table * remove unnecessary FK names * set readonly=true as default for new album shares * separate and implement album READ and WRITE permission * expose albumPermissions on the API, deprecate sharedUsers * generate openapi * create readonly view on frontend * ??? move slideshow button out from ellipsis menu so that non-owners can have access too * correct sharedUsers joins * add album permission repository * remove a log * fix assetCount getting reset when adding users * fix lint * add set permission endpoint and UI * sort users * remove log * Revert "??? move slideshow button out from ellipsis menu so that non-owners can have access too" This reverts commit 1343bfa311. * rename stuff * fix db schema annotations * sql generate * change readonly default to follow migration * fix deprecation notice * change readonly boolean to role enum * fix joincolumn as primary key * rename albumUserRepository in album service * clean up userId and albumId * add write access to shared link * fix existing tests * switch to vitest * format and fix tests on web * add new test * fix one e2e test * rename new API field to albumUsers * capitalize serverside enum * remove unused ReadWrite type * missed rename from previous commit * rename to albumUsers in album entity as well * remove outdated Equals calls * unnecessary relation * rename to updateUser in album service * minor renamery * move sorting to backend * rename and separate ALBUM_WRITE as ADD_ASSET and REMOVE_ASSET * fix tests * fix "should migrate single moving picture" test failing on European system timezone * generated changes after merge * lint fix * fix correct page to open after removing user from album * fix e2e tests and some bugs * rename updateAlbumUser rest endpoint * add new e2e tests for updateAlbumUser endpoint * small optimizations * refactor album e2e test, add new album shared with viewer * add new test to check if viewer can see the album * add new e2e tests for readonly share * failing test: User delete doesn't cascade to UserAlbum entity * fix: handle deleted users * use lodash for sort * add role to addUsersToAlbum endpoint * add UI for adding editors * lint fixes * change role back to editor as DB default * fix server tests * redesign user selection modal editor selector * style tweaks * fix type error * Revert "style tweaks" This reverts commit ab604f4c8f. * Revert "redesign user selection modal editor selector" This reverts commit e6f344856c. * chore: cleanup and improve add user modal * chore: open api * small styling --------- Co-authored-by: mgabor <> Co-authored-by: Jason Rasmussen <jrasm91@gmail.com> Co-authored-by: Alex Tran <alex.tran1502@gmail.com>
2025-11-14 17:36:12 +00:00 · 2024-04-25 06:19:49 +02:00 · 2024-04-25 06:19:49 +02:00 · 2943f93098
commit 2943f93098
parent 0b3373c552
56 changed files with 1778 additions and 370 deletions
--- a/e2e/src/api/specs/album.e2e-spec.ts
+++ b/e2e/src/api/specs/album.e2e-spec.ts
@ -1,12 +1,13 @@
 import {
+  addAssetsToAlbum,
  AlbumResponseDto,
+  AlbumUserRole,
  AssetFileUploadResponseDto,
  AssetOrder,
-  LoginResponseDto,
-  SharedLinkType,
-  addAssetsToAlbum,
  deleteUser,
  getAlbumInfo,
+  LoginResponseDto,
+  SharedLinkType,
 } from '@immich/sdk';
 import { createUserDto, uuidDto } from 'src/fixtures';
 import { errorDto } from 'src/responses';
@ -14,7 +15,8 @@ import { app, asBearerAuth, utils } from 'src/utils';
 import request from 'supertest';
 import { beforeAll, beforeEach, describe, expect, it } from 'vitest';

-const user1SharedUser = 'user1SharedUser';
+const user1SharedEditorUser = 'user1SharedEditorUser';
+const user1SharedViewerUser = 'user1SharedViewerUser';
 const user1SharedLink = 'user1SharedLink';
 const user1NotShared = 'user1NotShared';
 const user2SharedUser = 'user2SharedUser';
@ -49,35 +51,61 @@ describe('/album', () => {

    const albums = await Promise.all([
      // user 1
+      /* 0 */
      utils.createAlbum(user1.accessToken, {
-        albumName: user1SharedUser,
+        albumName: user1SharedEditorUser,
        sharedWithUserIds: [user2.userId],
        assetIds: [user1Asset1.id],
      }),
+      /* 1 */
      utils.createAlbum(user1.accessToken, {
        albumName: user1SharedLink,
        assetIds: [user1Asset1.id],
      }),
+      /* 2 */
      utils.createAlbum(user1.accessToken, {
        albumName: user1NotShared,
        assetIds: [user1Asset1.id, user1Asset2.id],
      }),

      // user 2
+      /* 3 */
      utils.createAlbum(user2.accessToken, {
        albumName: user2SharedUser,
-        sharedWithUserIds: [user1.userId],
+        sharedWithUserIds: [user1.userId, user3.userId],
      }),
+      /* 4 */
      utils.createAlbum(user2.accessToken, { albumName: user2SharedLink }),
+      /* 5 */
      utils.createAlbum(user2.accessToken, { albumName: user2NotShared }),

      // user 3
+      /* 6 */
      utils.createAlbum(user3.accessToken, {
        albumName: 'Deleted',
        sharedWithUserIds: [user1.userId],
      }),
+
+      // user1 shared with an editor
+      /* 7 */
+      utils.createAlbum(user1.accessToken, {
+        albumName: user1SharedViewerUser,
+        sharedWithUserIds: [user2.userId],
+        assetIds: [user1Asset1.id],
+      }),
    ]);

+    // Make viewer
+    await utils.updateAlbumUser(user1.accessToken, {
+      id: albums[7].id,
+      userId: user2.userId,
+      updateAlbumUserDto: { role: AlbumUserRole.Viewer },
+    });
+
+    albums[0].albumUsers[0].role = AlbumUserRole.Editor;
+    albums[3].albumUsers[0].role = AlbumUserRole.Editor;
+    albums[6].albumUsers[0].role = AlbumUserRole.Editor;
+
    await addAssetsToAlbum(
      { id: albums[3].id, bulkIdsDto: { ids: [user1Asset1.id] } },
      { headers: asBearerAuth(user1.accessToken) },
@ -85,7 +113,7 @@ describe('/album', () => {

    albums[3] = await getAlbumInfo({ id: albums[3].id }, { headers: asBearerAuth(user2.accessToken) });

-    user1Albums = albums.slice(0, 3);
+    user1Albums = [...albums.slice(0, 3), albums[7]];
    user2Albums = albums.slice(3, 6);

    await Promise.all([
@ -144,7 +172,7 @@ describe('/album', () => {
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(200);
-      expect(body).toHaveLength(3);
+      expect(body).toHaveLength(4);
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
@ -154,7 +182,12 @@ describe('/album', () => {
          }),
          expect.objectContaining({
            ownerId: user1.userId,
-            albumName: user1SharedUser,
+            albumName: user1SharedEditorUser,
+            shared: true,
+          }),
+          expect.objectContaining({
+            ownerId: user1.userId,
+            albumName: user1SharedViewerUser,
            shared: true,
          }),
          expect.objectContaining({
@ -169,12 +202,17 @@ describe('/album', () => {
    it('should return the album collection including owned and shared', async () => {
      const { status, body } = await request(app).get('/album').set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
-      expect(body).toHaveLength(3);
+      expect(body).toHaveLength(4);
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
            ownerId: user1.userId,
-            albumName: user1SharedUser,
+            albumName: user1SharedEditorUser,
+            shared: true,
+          }),
+          expect.objectContaining({
+            ownerId: user1.userId,
+            albumName: user1SharedViewerUser,
            shared: true,
          }),
          expect.objectContaining({
@ -196,12 +234,17 @@ describe('/album', () => {
        .get('/album?shared=true')
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
-      expect(body).toHaveLength(3);
+      expect(body).toHaveLength(4);
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
            ownerId: user1.userId,
-            albumName: user1SharedUser,
+            albumName: user1SharedEditorUser,
+            shared: true,
+          }),
+          expect.objectContaining({
+            ownerId: user1.userId,
+            albumName: user1SharedViewerUser,
            shared: true,
          }),
          expect.objectContaining({
@ -248,7 +291,7 @@ describe('/album', () => {
        .get(`/album?shared=true&assetId=${user1Asset1.id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
-      expect(body).toHaveLength(4);
+      expect(body).toHaveLength(5);
    });

    it('should return the album collection filtered by assetId and ignores shared=false', async () => {
@ -256,7 +299,7 @@ describe('/album', () => {
        .get(`/album?shared=false&assetId=${user1Asset1.id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
-      expect(body).toHaveLength(4);
+      expect(body).toHaveLength(5);
    });
  });

@ -279,16 +322,22 @@ describe('/album', () => {
      });
    });

-    it('should return album info for shared album', async () => {
+    it('should return album info for shared album (editor)', async () => {
      const { status, body } = await request(app)
        .get(`/album/${user2Albums[0].id}?withoutAssets=false`)
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(200);
-      expect(body).toEqual({
-        ...user2Albums[0],
-        assets: [expect.objectContaining({ id: user2Albums[0].assets[0].id })],
-      });
+      expect(body).toMatchObject({ id: user2Albums[0].id });
+    });
+
+    it('should return album info for shared album (viewer)', async () => {
+      const { status, body } = await request(app)
+        .get(`/album/${user1Albums[3].id}?withoutAssets=false`)
+        .set('Authorization', `Bearer ${user2.accessToken}`);
+
+      expect(status).toBe(200);
+      expect(body).toMatchObject({ id: user1Albums[3].id });
    });

    it('should return album info with assets when withoutAssets is undefined', async () => {
@ -330,7 +379,7 @@ describe('/album', () => {
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(200);
-      expect(body).toEqual({ owned: 3, shared: 3, notShared: 1 });
+      expect(body).toEqual({ owned: 4, shared: 4, notShared: 1 });
    });
  });

@ -357,6 +406,7 @@ describe('/album', () => {
        albumThumbnailAssetId: null,
        shared: false,
        sharedUsers: [],
+        albumUsers: [],
        hasSharedLink: false,
        assets: [],
        assetCount: 0,
@ -395,6 +445,17 @@ describe('/album', () => {
      expect(status).toBe(200);
      expect(body).toEqual([expect.objectContaining({ id: asset.id, success: true })]);
    });
+
+    it('should not be able to add assets to album as a viewer', async () => {
+      const asset = await utils.createAsset(user2.accessToken);
+      const { status, body } = await request(app)
+        .put(`/album/${user1Albums[3].id}/assets`)
+        .set('Authorization', `Bearer ${user2.accessToken}`)
+        .send({ ids: [asset.id] });
+
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('Not found or no album.addAsset access'));
+    });
  });

  describe('PATCH /album/:id', () => {
@ -425,6 +486,26 @@ describe('/album', () => {
        description: 'An album description',
      });
    });
+
+    it('should not be able to update as a viewer', async () => {
+      const { status, body } = await request(app)
+        .patch(`/album/${user1Albums[3].id}`)
+        .set('Authorization', `Bearer ${user2.accessToken}`)
+        .send({ albumName: 'New album name' });
+
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('Not found or no album.update access'));
+    });
+
+    it('should not be able to update as an editor', async () => {
+      const { status, body } = await request(app)
+        .patch(`/album/${user1Albums[0].id}`)
+        .set('Authorization', `Bearer ${user2.accessToken}`)
+        .send({ albumName: 'New album name' });
+
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('Not found or no album.update access'));
+    });
  });

  describe('DELETE /album/:id/assets', () => {
@ -488,6 +569,16 @@ describe('/album', () => {
      expect(status).toBe(200);
      expect(body).toEqual([expect.objectContaining({ id: user1Asset1.id, success: true })]);
    });
+
+    it('should not be able to remove assets from album as a viewer', async () => {
+      const { status, body } = await request(app)
+        .delete(`/album/${user1Albums[3].id}/assets`)
+        .set('Authorization', `Bearer ${user2.accessToken}`)
+        .send({ ids: [user1Asset1.id] });
+
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('Not found or no album.removeAsset access'));
+    });
  });

  describe('PUT :id/users', () => {
@ -510,7 +601,7 @@ describe('/album', () => {
      const { status, body } = await request(app)
        .put(`/album/${album.id}/users`)
        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({ sharedUserIds: [user2.userId] });
+        .send({ albumUsers: [{ userId: user2.userId, role: AlbumUserRole.Editor }] });

      expect(status).toBe(200);
      expect(body).toEqual(
@ -524,7 +615,7 @@ describe('/album', () => {
      const { status, body } = await request(app)
        .put(`/album/${album.id}/users`)
        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({ sharedUserIds: [user1.userId] });
+        .send({ albumUsers: [{ userId: user1.userId, role: AlbumUserRole.Editor }] });

      expect(status).toBe(400);
      expect(body).toEqual(errorDto.badRequest('Cannot be shared with owner'));
@ -534,15 +625,54 @@ describe('/album', () => {
      await request(app)
        .put(`/album/${album.id}/users`)
        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({ sharedUserIds: [user2.userId] });
+        .send({ albumUsers: [{ userId: user2.userId, role: AlbumUserRole.Editor }] });

      const { status, body } = await request(app)
        .put(`/album/${album.id}/users`)
        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({ sharedUserIds: [user2.userId] });
+        .send({ albumUsers: [{ userId: user2.userId, role: AlbumUserRole.Editor }] });

      expect(status).toBe(400);
      expect(body).toEqual(errorDto.badRequest('User already added'));
    });
  });
+
+  describe('PUT :id/user/:userId', () => {
+    it('should allow the album owner to change the role of a shared user', async () => {
+      const album = await utils.createAlbum(user1.accessToken, {
+        albumName: 'testAlbum',
+        sharedWithUserIds: [user2.userId],
+      });
+
+      const { status } = await request(app)
+        .put(`/album/${album.id}/user/${user2.userId}`)
+        .set('Authorization', `Bearer ${user1.accessToken}`)
+        .send({ role: AlbumUserRole.Editor });
+
+      expect(status).toBe(200);
+
+      // Get album to verify the role change
+      const { body } = await request(app).get(`/album/${album.id}`).set('Authorization', `Bearer ${user1.accessToken}`);
+      expect(body).toEqual(
+        expect.objectContaining({
+          albumUsers: [expect.objectContaining({ role: AlbumUserRole.Editor })],
+        }),
+      );
+    });
+
+    it('should not allow a shared user to change the role of another shared user', async () => {
+      const album = await utils.createAlbum(user1.accessToken, {
+        albumName: 'testAlbum',
+        sharedWithUserIds: [user2.userId],
+      });
+
+      const { status, body } = await request(app)
+        .put(`/album/${album.id}/user/${user2.userId}`)
+        .set('Authorization', `Bearer ${user2.accessToken}`)
+        .send({ role: AlbumUserRole.Editor });
+
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('Not found or no album.share access'));
+    });
+  });
 });