fix(server): tighten asset visibility (#18699)

* tighten visibility

* update sql

* elevated access util function

* fix potential sync issue

* include in user stats

* include hidden assets in size usage

* filter visibility in search duplicates query

* stack visibility

Author: mertalev

server/src/queries/activity.repository.sql

@@ -73,3 +73,4 @@ where
   and "activity"."albumId" = $2
   and "activity"."isLiked" = $3
   and "assets"."deletedAt" is null
+  and "assets"."visibility" != 'locked'

server/src/queries/album.repository.sql

@@ -80,6 +80,7 @@ select
         where
           "albums_assets_assets"."albumsId" = "albums"."id"
           and "assets"."deletedAt" is null
+          and "assets"."visibility" in ('archive', 'timeline')
         order by
           "assets"."fileCreatedAt" desc
       ) as "asset"
@@ -178,7 +179,8 @@ from
   "assets"
   inner join "albums_assets_assets" as "album_assets" on "album_assets"."assetsId" = "assets"."id"
 where
-  "album_assets"."albumsId" in ($1)
+  "assets"."visibility" in ('archive', 'timeline')
+  and "album_assets"."albumsId" in ($1)
   and "assets"."deletedAt" is null
 group by
   "album_assets"."albumsId"

server/src/queries/asset.job.repository.sql

@@ -186,8 +186,8 @@ from
   inner join "smart_search" on "assets"."id" = "smart_search"."assetId"
   inner join "asset_job_status" as "job_status" on "job_status"."assetId" = "assets"."id"
 where
-  "assets"."visibility" != $1
-  and "assets"."deletedAt" is null
+  "assets"."deletedAt" is null
+  and "assets"."visibility" in ('archive', 'timeline')
   and "job_status"."duplicatesDetectedAt" is null
 
 -- AssetJobRepository.streamForEncodeClip
@@ -349,7 +349,7 @@ from
       "assets" as "stacked"
     where
       "stacked"."deletedAt" is not null
-      and "stacked"."visibility" != $1
+      and "stacked"."visibility" = $1
       and "stacked"."stackId" = "asset_stack"."id"
     group by
       "asset_stack"."id"

server/src/queries/asset.repository.sql

@@ -130,7 +130,6 @@ select
 from
   "assets"
   left join "exif" on "assets"."id" = "exif"."assetId"
-  left join "asset_stack" on "asset_stack"."id" = "assets"."stackId"
 where
   "assets"."id" = any ($1::uuid[])
 
@@ -240,10 +239,7 @@ with
       "assets"
     where
       "assets"."deletedAt" is null
-      and (
-        "assets"."visibility" = $1
-        or "assets"."visibility" = $2
-      )
+      and "assets"."visibility" in ('archive', 'timeline')
   )
 select
   "timeBucket",
@@ -300,21 +296,14 @@ with
         where
           "stacked"."stackId" = "assets"."stackId"
           and "stacked"."deletedAt" is null
-          and "stacked"."visibility" != $1
+          and "stacked"."visibility" = $1
         group by
           "stacked"."stackId"
       ) as "stacked_assets" on true
     where
       "assets"."deletedAt" is null
-      and (
-        "assets"."visibility" = $2
-        or "assets"."visibility" = $3
-      )
-      and date_trunc('MONTH', "localDateTime" at time zone 'UTC') at time zone 'UTC' = $4
-      and (
-        "assets"."visibility" = $5
-        or "assets"."visibility" = $6
-      )
+      and "assets"."visibility" in ('archive', 'timeline')
+      and date_trunc('MONTH', "localDateTime" at time zone 'UTC') at time zone 'UTC' = $2
       and not exists (
         select
         from
@@ -374,10 +363,10 @@ with
           "exif"."assetId" = "assets"."id"
       ) as "asset" on true
     where
-      "assets"."ownerId" = $1::uuid
+      "assets"."visibility" in ('archive', 'timeline')
+      and "assets"."ownerId" = $1::uuid
       and "assets"."duplicateId" is not null
       and "assets"."deletedAt" is null
-      and "assets"."visibility" != $2
       and "assets"."stackId" is null
     group by
       "assets"."duplicateId"
@@ -388,12 +377,12 @@ with
     from
       "duplicates"
     where
-      json_array_length("assets") = $3
+      json_array_length("assets") = $2
   ),
   "removed_unique" as (
     update "assets"
     set
-      "duplicateId" = $4
+      "duplicateId" = $3
     from
       "unique"
     where

server/src/queries/person.repository.sql

@@ -182,27 +182,42 @@ from
   "asset_faces"
   left join "assets" on "assets"."id" = "asset_faces"."assetId"
   and "asset_faces"."personId" = $1
-  and "assets"."visibility" != $2
+  and "assets"."visibility" = 'timeline'
   and "assets"."deletedAt" is null
 where
   "asset_faces"."deletedAt" is null
 
 -- PersonRepository.getNumberOfPeople
 select
-  count(distinct ("person"."id")) as "total",
-  count(distinct ("person"."id")) filter (
-    where
-      "person"."isHidden" = $1
+  coalesce(count(*), 0) as "total",
+  coalesce(
+    count(*) filter (
+      where
+        "isHidden" = $1
+    ),
+    0
   ) as "hidden"
 from
   "person"
-  inner join "asset_faces" on "asset_faces"."personId" = "person"."id"
-  inner join "assets" on "assets"."id" = "asset_faces"."assetId"
-  and "assets"."deletedAt" is null
-  and "assets"."visibility" != $2
 where
-  "person"."ownerId" = $3
-  and "asset_faces"."deletedAt" is null
+  exists (
+    select
+    from
+      "asset_faces"
+    where
+      "asset_faces"."personId" = "person"."id"
+      and "asset_faces"."deletedAt" is null
+      and exists (
+        select
+        from
+          "assets"
+        where
+          "assets"."id" = "asset_faces"."assetId"
+          and "assets"."visibility" = 'timeline'
+          and "assets"."deletedAt" is null
+      )
+  )
+  and "person"."ownerId" = $2
 
 -- PersonRepository.refreshFaces
 with

server/src/queries/search.repository.sql

@@ -102,23 +102,23 @@ with
       "assets"
       inner join "smart_search" on "assets"."id" = "smart_search"."assetId"
     where
-      "assets"."ownerId" = any ($2::uuid[])
+      "assets"."visibility" in ('archive', 'timeline')
+      and "assets"."ownerId" = any ($2::uuid[])
       and "assets"."deletedAt" is null
-      and "assets"."visibility" != $3
-      and "assets"."type" = $4
-      and "assets"."id" != $5::uuid
+      and "assets"."type" = $3
+      and "assets"."id" != $4::uuid
       and "assets"."stackId" is null
     order by
       "distance"
     limit
-      $6
+      $5
   )
 select
   *
 from
   "cte"
 where
-  "cte"."distance" <= $7
+  "cte"."distance" <= $6
 commit
 
 -- SearchRepository.searchFaces
@@ -241,7 +241,7 @@ from
   inner join "assets" on "assets"."id" = "exif"."assetId"
 where
   "ownerId" = any ($1::uuid[])
-  and "visibility" != $2
+  and "visibility" = $2
   and "deletedAt" is null
   and "state" is not null
 
@@ -253,7 +253,7 @@ from
   inner join "assets" on "assets"."id" = "exif"."assetId"
 where
   "ownerId" = any ($1::uuid[])
-  and "visibility" != $2
+  and "visibility" = $2
   and "deletedAt" is null
   and "city" is not null
 
@@ -265,7 +265,7 @@ from
   inner join "assets" on "assets"."id" = "exif"."assetId"
 where
   "ownerId" = any ($1::uuid[])
-  and "visibility" != $2
+  and "visibility" = $2
   and "deletedAt" is null
   and "make" is not null
 
@@ -277,6 +277,6 @@ from
   inner join "assets" on "assets"."id" = "exif"."assetId"
 where
   "ownerId" = any ($1::uuid[])
-  and "visibility" != $2
+  and "visibility" = $2
   and "deletedAt" is null
   and "model" is not null

server/src/queries/stack.repository.sql

@@ -52,6 +52,7 @@ select
         where
           "assets"."deletedAt" is null
           and "assets"."stackId" = "asset_stack"."id"
+          and "assets"."visibility" in ('archive', 'timeline')
       ) as agg
   ) as "assets"
 from
@@ -135,6 +136,7 @@ select
         where
           "assets"."deletedAt" is null
           and "assets"."stackId" = "asset_stack"."id"
+          and "assets"."visibility" in ('archive', 'timeline')
       ) as agg
   ) as "assets"
 from

server/src/queries/user.repository.sql

@@ -290,7 +290,7 @@ order by
 select
   "users"."id" as "userId",
   "users"."name" as "userName",
-  "users"."quotaSizeInBytes" as "quotaSizeInBytes",
+  "users"."quotaSizeInBytes",
   count(*) filter (
     where
       (
@@ -335,9 +335,8 @@ select
 from
   "users"
   left join "assets" on "assets"."ownerId" = "users"."id"
+  and "assets"."deletedAt" is null
   left join "exif" on "exif"."assetId" = "assets"."id"
-where
-  "assets"."deletedAt" is null
 group by
   "users"."id"
 order by

server/src/repositories/activity.repository.ts

@@ -5,6 +5,7 @@ import { InjectKysely } from 'nestjs-kysely';
 import { columns } from 'src/database';
 import { Activity, DB } from 'src/db';
 import { DummyValue, GenerateSql } from 'src/decorators';
+import { AssetVisibility } from 'src/enum';
 import { asUuid } from 'src/utils/database';
 
 export interface ActivitySearch {
@@ -76,6 +77,7 @@ export class ActivityRepository {
       .where('activity.albumId', '=', albumId)
       .where('activity.isLiked', '=', false)
       .where('assets.deletedAt', 'is', null)
+      .where('assets.visibility', '!=', sql.lit(AssetVisibility.LOCKED))
       .executeTakeFirstOrThrow();
 
     return count;

server/src/repositories/album.repository.ts

@@ -6,6 +6,7 @@ import { columns, Exif } from 'src/database';
 import { Albums, DB } from 'src/db';
 import { Chunked, ChunkedArray, ChunkedSet, DummyValue, GenerateSql } from 'src/decorators';
 import { AlbumUserCreateDto } from 'src/dtos/album.dto';
+import { withDefaultVisibility } from 'src/utils/database';
 
 export interface AlbumAssetCount {
   albumId: string;
@@ -58,6 +59,7 @@ const withAssets = (eb: ExpressionBuilder<DB, 'albums'>) => {
         .innerJoin('albums_assets_assets', 'albums_assets_assets.assetsId', 'assets.id')
         .whereRef('albums_assets_assets.albumsId', '=', 'albums.id')
         .where('assets.deletedAt', 'is', null)
+        .$call(withDefaultVisibility)
         .orderBy('assets.fileCreatedAt', 'desc')
         .as('asset'),
     )
@@ -121,6 +123,7 @@ export class AlbumRepository {
     return (
       this.db
         .selectFrom('assets')
+        .$call(withDefaultVisibility)
         .innerJoin('albums_assets_assets as album_assets', 'album_assets.assetsId', 'assets.id')
         .select('album_assets.albumsId as albumId')
         .select((eb) => eb.fn.min(sql<Date>`("assets"."localDateTime" AT TIME ZONE 'UTC'::text)::date`).as('startDate'))