Auth: Extend user accounts with custom scope setting

Signed-off-by: Michael Mayer <[email protected]>

Author: lastzero

frontend/src/common/config.js

@@ -674,9 +674,21 @@ export default class Config {
 
     const albumsRoute = "albums";
     const browseRoute = "browse";
-    const defaultRoute = this.deny("photos", "access_library") ? albumsRoute : browseRoute;
+    const settingsRoute = "settings";
 
-    if (this.allow("settings", "update")) {
+    let defaultRoute;
+
+    if (this.deny("photos", "access_library") || !this.feature("search")) {
+      if (this.deny("albums", "view") || !this.feature("albums")) {
+        defaultRoute = settingsRoute;
+      } else {
+        defaultRoute = albumsRoute;
+      }
+    } else {
+      defaultRoute = browseRoute;
+    }
+
+    if (defaultRoute !== settingsRoute && this.allow("settings", "update")) {
       const features = this.getSettings()?.features;
       const startPage = this.getSettings()?.ui?.startPage;
 
@@ -704,6 +716,8 @@ export default class Config {
             return features.labels ? startPage : defaultRoute;
           case "folders":
             return features.folders ? startPage : defaultRoute;
+          case "settings":
+            return features.settings ? startPage : defaultRoute;
           default:
             return defaultRoute;
         }

frontend/src/common/session.js

@@ -46,6 +46,7 @@ export default class Session {
     this.config = config;
     this.provider = "";
     this.user = new User(false);
+    this.scope = "";
     this.data = null;
 
     // Set session storage.
@@ -106,6 +107,11 @@ export default class Session {
       if (provider !== null && provider !== "undefined") {
         this.provider = provider;
       }
+
+      const scope = this.storage.getItem(this.storageKey + ".scope");
+      if (scope !== null && scope !== "undefined") {
+        this.scope = scope;
+      }
     }
 
     // Authenticated?
@@ -219,11 +225,13 @@ export default class Session {
     this.id = null;
     this.authToken = null;
     this.provider = "";
+    this.scope = "";
 
     // "session.id" is the SHA256 hash of the auth token.
     this.storage.removeItem(this.storageKey + ".id");
     this.storage.removeItem(this.storageKey + ".token");
     this.storage.removeItem(this.storageKey + ".provider");
+    this.storage.removeItem(this.storageKey + ".scope");
 
     // Remove previously used data e.g. "session_id"
     // is deprecated in favor of "session.token".
@@ -292,6 +300,10 @@ export default class Session {
       this.setUser(resp.data.user);
     }
 
+    if (resp.data.scope) {
+      this.setScope(resp.data.scope);
+    }
+
     if (resp.data.data) {
       this.setData(resp.data.data);
     }
@@ -340,6 +352,23 @@ export default class Session {
     return this.user;
   }
 
+  setScope(scope) {
+    this.scope = scope;
+    this.storage.setItem(this.storageKey + ".scope", scope);
+  }
+
+  hasScope() {
+    return Boolean(this.scope) && this.scope !== "*";
+  }
+
+  getScope() {
+    if (this.hasScope()) {
+      return this.scope;
+    }
+
+    return "*";
+  }
+
   getUserUID() {
     if (this.user && this.user.UID) {
       return this.user.UID;

frontend/src/component/navigation.vue

@@ -998,6 +998,7 @@ export default {
     const isReadOnly = this.$config.get("readonly");
     const isRestricted = this.$config.deny("photos", "access_library");
     const isSuperAdmin = this.$session.isSuperAdmin();
+    const hasScope = this.$session.hasScope();
     const tier = this.$config.getTier();
 
     return {
@@ -1017,7 +1018,7 @@ export default {
       drawer: null,
       featUpgrade: tier < 6 && isSuperAdmin && !isPublic && !isDemo,
       featMembership: tier < 3 && isSuperAdmin && !isPublic && !isDemo,
-      featFeedback: tier >= 6 && isSuperAdmin && !isPublic && !isDemo,
+      featFeedback: !hasScope && tier >= 6 && isSuperAdmin && !isPublic && !isDemo,
       featFiles: this.$config.feature("files"),
       featUsage: canManagePhotos && this.$config.feature("files") && this.$config.values?.usage?.filesTotal,
       isRestricted: isRestricted,

frontend/src/model/user.js

@@ -28,6 +28,7 @@ export class User extends RestModel {
       Email: "",
       BackupEmail: "",
       Role: "",
+      Scope: "",
       Attr: "",
       SuperAdmin: false,
       CanLogin: false,
@@ -200,6 +201,18 @@ export class User extends RestModel {
       .then((response) => Promise.resolve(new Form(response.data)));
   }
 
+  hasScope() {
+    return Boolean(this.Scope) && this.Scope !== "*";
+  }
+
+  getScope() {
+    if (this.hasScope()) {
+      return this.Scope;
+    }
+
+    return "*";
+  }
+
   isRemote() {
     return this.AuthProvider && this.AuthProvider === "ldap";
   }

frontend/src/options/options.js

@@ -209,6 +209,7 @@ export const StartPages = (features, isPortal) => {
     { value: "moments", text: $gettext("Moments"), props: { disabled: !features?.moments } },
     { value: "labels", text: $gettext("Labels"), props: { disabled: !features?.labels } },
     { value: "folders", text: $gettext("Folders"), props: { disabled: !features?.folders } },
+    { value: "settings", text: $gettext("Settings"), props: { disabled: !features?.settings } },
   ];
 };
 

frontend/src/page/settings/general.vue

@@ -79,7 +79,7 @@
         </v-card-actions>
       </v-card>
 
-      <v-card v-if="!isPortal && (isDemo || isSuperAdmin)" flat tile class="mt-0 px-1 bg-background">
+      <v-card v-if="!isPortal && !hasScope && (isDemo || isSuperAdmin)" flat tile class="mt-0 px-1 bg-background">
         <v-card-actions>
           <v-row align="start" dense>
             <v-col cols="12" sm="6" lg="3" class="px-2 pb-2 pt-2">
@@ -436,6 +436,7 @@ export default {
     return {
       isDemo: this.$config.isDemo(),
       isAdmin: this.$session.isAdmin(),
+      hasScope: this.$session.hasScope(),
       isSuperAdmin: this.$session.isSuperAdmin(),
       isPublic: this.$config.isPublic(),
       isPortal: this.$config.isPortal(),

frontend/tests/vitest/common/config.test.js

@@ -6,6 +6,11 @@ import * as themes from "options/themes";
 
 const defaultConfig = new Config(new StorageShim(), window.__CONFIG__);
 
+const createTestConfig = () => {
+  const values = JSON.parse(JSON.stringify(window.__CONFIG__));
+  return new Config(new StorageShim(), values);
+};
+
 describe("common/config", () => {
   it("should get all config values", () => {
     const storage = new StorageShim();
@@ -164,6 +169,86 @@ describe("common/config", () => {
     expect(defaultConfig.feature("download")).toBe(true);
   });
 
+  it("returns albums when library access is restricted", () => {
+    const cfg = createTestConfig();
+    const settings = JSON.parse(JSON.stringify(cfg.getSettings()));
+    settings.features = {
+      ...settings.features,
+      search: true,
+      albums: true,
+      settings: true,
+    };
+    cfg.set("settings", settings);
+    cfg.set("acl", {
+      photos: { full_access: false, access_library: false },
+      albums: { full_access: false, view: true },
+      settings: { full_access: false, update: false },
+    });
+
+    expect(cfg.getDefaultRoute()).toBe("albums");
+  });
+
+  it("returns settings when library and albums are unavailable", () => {
+    const cfg = createTestConfig();
+    const settings = JSON.parse(JSON.stringify(cfg.getSettings()));
+    settings.features = {
+      ...settings.features,
+      search: true,
+      albums: false,
+      settings: true,
+    };
+    cfg.set("settings", settings);
+    cfg.set("acl", {
+      photos: { full_access: false, access_library: false },
+      albums: { full_access: false, view: false },
+      settings: { full_access: false, update: false },
+    });
+
+    expect(cfg.getDefaultRoute()).toBe("settings");
+  });
+
+  it("honors settings start page when permitted", () => {
+    const cfg = createTestConfig();
+    const settings = JSON.parse(JSON.stringify(cfg.getSettings()));
+    settings.ui = {
+      ...settings.ui,
+      startPage: "settings",
+    };
+    settings.features = {
+      ...settings.features,
+      search: true,
+      settings: true,
+    };
+    cfg.set("settings", settings);
+    cfg.set("acl", {
+      photos: { full_access: false, access_library: true },
+      settings: { full_access: false, update: true },
+    });
+
+    expect(cfg.getDefaultRoute()).toBe("settings");
+  });
+
+  it("falls back to default route when settings feature is disabled", () => {
+    const cfg = createTestConfig();
+    const settings = JSON.parse(JSON.stringify(cfg.getSettings()));
+    settings.ui = {
+      ...settings.ui,
+      startPage: "settings",
+    };
+    settings.features = {
+      ...settings.features,
+      search: true,
+      settings: false,
+    };
+    cfg.set("settings", settings);
+    cfg.set("acl", {
+      photos: { full_access: false, access_library: true },
+      settings: { full_access: false, update: true },
+    });
+
+    expect(cfg.getDefaultRoute()).toBe("browse");
+  });
+
   it("should test get name", () => {
     const result = defaultConfig.getPerson("a");
     expect(result).toBeNull();

frontend/tests/vitest/common/session.test.js

@@ -186,6 +186,28 @@ describe("common/session", () => {
     session.deleteData();
   });
 
+  it("should manage scope state", () => {
+    const storage = new StorageShim();
+    const session = new Session(storage, $config);
+
+    // Default scope is unrestricted.
+    expect(session.hasScope()).toBe(false);
+    expect(session.getScope()).toBe("*");
+
+    session.setId("a9b8ff820bf40ab451910f8bbfe401b2432446693aa539538fbd2399560a722f");
+    session.setAuthToken("234200000000000000000000000000000000000000000000");
+    session.setScope("photos:view");
+    expect(session.hasScope()).toBe(true);
+    expect(session.getScope()).toBe("photos:view");
+
+    // Scope flag should survive re-instantiation with the same storage.
+    const restoredSession = new Session(storage, $config);
+    expect(restoredSession.hasScope()).toBe(true);
+    expect(restoredSession.getScope()).toBe("photos:view");
+
+    session.deleteAuthentication();
+  });
+
   it("should test whether user is set", () => {
     const storage = new StorageShim();
     const session = new Session(storage, $config);

frontend/tests/vitest/fixtures.js

@@ -133,6 +133,21 @@ Mock.onPost("api/v1/session").reply(
     access_token: "999900000000000000000000000000000000000000000000",
     token_type: "Bearer",
     provider: "test",
+    scope: "photos:view",
+    data: { token: "123token" },
+    user: { ID: 1, UID: "urjysof3b9v7lgex", Name: "test", Email: "[email protected]" },
+  },
+  mockHeaders
+);
+
+Mock.onGet("api/v1/session").reply(
+  200,
+  {
+    session_id: "5aa770f2a1ef431628d9f17bdf82a0d16865e99d4a1ddd9356e1aabfe6464683",
+    access_token: "999900000000000000000000000000000000000000000000",
+    token_type: "Bearer",
+    provider: "test",
+    scope: "photos:view",
     data: { token: "123token" },
     user: { ID: 1, UID: "urjysof3b9v7lgex", Name: "test", Email: "[email protected]" },
   },

frontend/tests/vitest/model/user.test.js

@@ -197,6 +197,16 @@ describe("model/user", () => {
     expect(result).toBe("Max Last");
   });
 
+  it("should manage scope helpers", () => {
+    const unrestricted = new User({ Scope: "*" });
+    expect(unrestricted.hasScope()).toBe(false);
+    expect(unrestricted.getScope()).toBe("*");
+
+    const restricted = new User({ Scope: "photos:view" });
+    expect(restricted.hasScope()).toBe(true);
+    expect(restricted.getScope()).toBe("photos:view");
+  });
+
   it("should get id", () => {
     const values = {
       ID: 5,