fix(server): tighten asset visibility (#18699)

* tighten visibility * update sql * elevated access util function * fix potential sync issue * include in user stats * include hidden assets in size usage * filter visibility in search duplicates query * stack visibility
2025-11-14 17:36:12 +00:00 · 2025-06-02 10:33:08 -04:00 · 2025-06-02 10:33:08 -04:00 · fa22e865a4
commit fa22e865a4
parent b5c3a675b2
21 changed files with 132 additions and 107 deletions
--- a/server/src/queries/asset.repository.sql
+++ b/server/src/queries/asset.repository.sql
@ -130,7 +130,6 @@ select
 from
  "assets"
  left join "exif" on "assets"."id" = "exif"."assetId"
-  left join "asset_stack" on "asset_stack"."id" = "assets"."stackId"
 where
  "assets"."id" = any ($1::uuid[])

@ -240,10 +239,7 @@ with
      "assets"
    where
      "assets"."deletedAt" is null
-      and (
-        "assets"."visibility" = $1
-        or "assets"."visibility" = $2
-      )
+      and "assets"."visibility" in ('archive', 'timeline')
  )
 select
  "timeBucket",
@ -300,21 +296,14 @@ with
        where
          "stacked"."stackId" = "assets"."stackId"
          and "stacked"."deletedAt" is null
-          and "stacked"."visibility" != $1
+          and "stacked"."visibility" = $1
        group by
          "stacked"."stackId"
      ) as "stacked_assets" on true
    where
      "assets"."deletedAt" is null
-      and (
-        "assets"."visibility" = $2
-        or "assets"."visibility" = $3
-      )
-      and date_trunc('MONTH', "localDateTime" at time zone 'UTC') at time zone 'UTC' = $4
-      and (
-        "assets"."visibility" = $5
-        or "assets"."visibility" = $6
-      )
+      and "assets"."visibility" in ('archive', 'timeline')
+      and date_trunc('MONTH', "localDateTime" at time zone 'UTC') at time zone 'UTC' = $2
      and not exists (
        select
        from
@ -374,10 +363,10 @@ with
          "exif"."assetId" = "assets"."id"
      ) as "asset" on true
    where
-      "assets"."ownerId" = $1::uuid
+      "assets"."visibility" in ('archive', 'timeline')
+      and "assets"."ownerId" = $1::uuid
      and "assets"."duplicateId" is not null
      and "assets"."deletedAt" is null
-      and "assets"."visibility" != $2
      and "assets"."stackId" is null
    group by
      "assets"."duplicateId"
@ -388,12 +377,12 @@ with
    from
      "duplicates"
    where
-      json_array_length("assets") = $3
+      json_array_length("assets") = $2
  ),
  "removed_unique" as (
    update "assets"
    set
-      "duplicateId" = $4
+      "duplicateId" = $3
    from
      "unique"
    where