feat: Add public album routes and enhance authorization checks for media and albums

2025-11-15 17:18:14 +01:00
parent 199544d1c3
commit a9805b5eb1
16 changed files with 323 additions and 92 deletions
--- a/libertas_api/src/services/authorization_service.rs
+++ b/libertas_api/src/services/authorization_service.rs
@@ -107,27 +107,46 @@ impl AuthorizationServiceImpl {

 #[async_trait]
 impl AuthorizationService for AuthorizationServiceImpl {
-    async fn check_permission(&self, user_id: Uuid, permission: Permission) -> CoreResult<()> {
-        let user = self.get_user(user_id).await?;
+    async fn check_permission(
+        &self,
+        user_id: Option<Uuid>,
+        permission: Permission,
+    ) -> CoreResult<()> {
+        let user = if let Some(id) = user_id {
+            Some(self.get_user(id).await?)
+        } else {
+            None
+        };

-        if authz::is_admin(&user) {
-            return Ok(());
+        if let Some(ref user) = user {
+            if authz::is_admin(user) {
+                // [cite: 115]
+                return Ok(());
+            }
        }

        match permission {
            Permission::ViewMedia(media_id) => {
                let media = self.get_media(media_id).await?;
-                if authz::is_owner(user_id, &media) {
+
+                if self.album_repo.is_media_in_public_album(media_id).await? {
                    return Ok(());
                }

-                let is_shared = self
-                    .album_share_repo
-                    .is_media_in_shared_album(media_id, user_id)
-                    .await?;
+                if let Some(id) = user_id {
+                    if authz::is_owner(id, &media) {
+                        // [cite: 117]
+                        return Ok(());
+                    }

-                if is_shared {
-                    return Ok(());
+                    if self
+                        .album_share_repo
+                        .is_media_in_shared_album(media_id, id)
+                        .await?
+                    {
+                        // [cite: 118-119]
+                        return Ok(());
+                    }
                }

                Err(CoreError::Auth(
@@ -136,6 +155,9 @@ impl AuthorizationService for AuthorizationServiceImpl {
            }

            Permission::DeleteMedia(media_id) | Permission::EditMedia(media_id) => {
+                let user_id = user_id.ok_or(CoreError::Auth(
+                    "Authentication required for this action".into(),
+                ))?;
                let media = self.get_media(media_id).await?;
                if authz::is_owner(user_id, &media) {
                    return Ok(());
@@ -149,6 +171,9 @@ impl AuthorizationService for AuthorizationServiceImpl {
            Permission::AddTags(media_id)
            | Permission::RemoveTags(media_id)
            | Permission::EditTags(media_id) => {
+                let user_id = user_id.ok_or(CoreError::Auth(
+                    "Authentication required for this action".into(),
+                ))?;
                let media = self.get_media(media_id).await?;

                if authz::is_owner(user_id, &media) {
@@ -170,6 +195,9 @@ impl AuthorizationService for AuthorizationServiceImpl {
            }

            Permission::ViewAlbum(album_id) => {
+                let user_id = user_id.ok_or(CoreError::Auth(
+                    "Authentication required for this action".into(),
+                ))?;
                let album = self.get_album(album_id).await?;

                let share_permission = self.get_album_share_permission(album_id, user_id).await?;
@@ -184,6 +212,9 @@ impl AuthorizationService for AuthorizationServiceImpl {
            }

            Permission::AddToAlbum(album_id) | Permission::EditAlbum(album_id) => {
+                let user_id = user_id.ok_or(CoreError::Auth(
+                    "Authentication required for this action".into(),
+                ))?;
                let album = self.get_album(album_id).await?;
                let share_permission = self.get_album_share_permission(album_id, user_id).await?;

@@ -197,6 +228,9 @@ impl AuthorizationService for AuthorizationServiceImpl {
            }

            Permission::ShareAlbum(album_id) | Permission::DeleteAlbum(album_id) => {
+                let user_id = user_id.ok_or(CoreError::Auth(
+                    "Authentication required for this action".into(),
+                ))?;
                let album = self.get_album(album_id).await?;

                if authz::is_owner(user_id, &album) {
@@ -209,6 +243,9 @@ impl AuthorizationService for AuthorizationServiceImpl {
            }

            Permission::ViewPerson(person_id) => {
+                let user_id = user_id.ok_or(CoreError::Auth(
+                    "Authentication required for this action".into(),
+                ))?;
                let person = self.get_person(person_id).await?;
                let share_permission = self.get_person_share_permission(person_id, user_id).await?;

@@ -224,6 +261,9 @@ impl AuthorizationService for AuthorizationServiceImpl {
            Permission::EditPerson(person_id)
            | Permission::SharePerson(person_id)
            | Permission::DeletePerson(person_id) => {
+                let user_id = user_id.ok_or(CoreError::Auth(
+                    "Authentication required for this action".into(),
+                ))?;
                let person = self.get_person(person_id).await?;

                if authz::is_owner(user_id, &person) {
@@ -236,6 +276,9 @@ impl AuthorizationService for AuthorizationServiceImpl {
            }

            Permission::UsePerson(person_id) => {
+                let user_id = user_id.ok_or(CoreError::Auth(
+                    "Authentication required for this action".into(),
+                ))?;
                let person = self.get_person(person_id).await?;
                let share_permission = self.get_person_share_permission(person_id, user_id).await?;