API: Cover shared-only session access to the files endpoint

Add a GetFile subtest asserting a shared-only (guest) session receives no
file details from /api/v1/files/:hash, locking in the per-session access
behavior. Per-photo file scope is covered separately by
search.TestFileVisibleToSession.
This commit is contained in:
Michael Mayer 2026-06-01 15:21:10 +00:00
parent 7d9fee0aa4
commit cd44267bce

View file

@ -7,6 +7,8 @@ import (
"github.com/tidwall/gjson"
"github.com/stretchr/testify/assert"
"github.com/photoprism/photoprism/internal/config"
)
func TestGetFile(t *testing.T) {
@ -25,4 +27,19 @@ func TestGetFile(t *testing.T) {
r := PerformRequest(app, "GET", "/api/v1/files/111")
assert.Equal(t, http.StatusNotFound, r.Code)
})
t.Run("SharedOnlySessionDenied", func(t *testing.T) {
app, router, conf := NewApiTest()
conf.SetAuthMode(config.AuthModePasswd)
defer conf.SetAuthMode(config.AuthModePublic)
GetFile(router)
// A shared-only (guest) session has no files access, so the endpoint denies the request
// at the ACL check before the visibility gate. Per-photo file scope (the gate that returns
// 404 for an out-of-scope file when the role does have files access, e.g. a viewer in
// Plus/Pro) is covered by search.TestFileVisibleToSession.
authToken := AuthenticateUser(app, router, "gandalf", "Gandalf123!")
r := AuthenticatedRequest(app, "GET", "/api/v1/files/2cad9168fa6acc5c5c2965ddf6ec465ca42fd818", authToken)
assert.Equal(t, http.StatusForbidden, r.Code)
})
}