add backend for listing user group permissions

Author: ildyria

app/Actions/Sharing/Propagate.php

@@ -49,7 +49,7 @@ private function applyUpdate(Album $album): void
 		// for each descendant, create a new permission if it does not exist.
 		// or update the existing permission.
 		$descendants = $album->descendants()->getQuery()->select('id')->pluck('id');
-		$permissions = $album->access_permissions()->whereNotNull('user_id')->get();
+		$permissions = $album->access_permissions()->whereNotNull('user_id')->orWhereNotNull('user_group_id')->get();
 
 		// This is super inefficient.
 		// It would be better to do it in a single query...
@@ -59,6 +59,7 @@ private function applyUpdate(Album $album): void
 				$perm = AccessPermission::updateOrCreate([
 					APC::BASE_ALBUM_ID => $descendant,
 					APC::USER_ID => $permission->user_id,
+					APC::USER_GROUP_ID => $permission->user_group_id,
 				], [
 					APC::GRANTS_FULL_PHOTO_ACCESS => $permission->grants_full_photo_access,
 					APC::GRANTS_DOWNLOAD => $permission->grants_download,
@@ -122,7 +123,7 @@ private function applyOverwrite(Album $album): void
 			->where('_rgt', '<', $album->_rgt)
 			->pluck('id');
 
-		$access_permissions = $album->access_permissions()->whereNotNull('user_id')->get();
+		$access_permissions = $album->access_permissions()->whereNotNull('user_id')->orWhereNotNull('user_group_id')->get();
 
 		$new_perm = $access_permissions->reduce(
 			fn (?array $acc, AccessPermission $permission) => array_merge(
@@ -131,6 +132,7 @@ private function applyOverwrite(Album $album): void
 					fn ($descendant_id) => [
 						APC::BASE_ALBUM_ID => $descendant_id,
 						APC::USER_ID => $permission->user_id,
+						APC::USER_GROUP_ID => $permission->user_group_id,
 						APC::GRANTS_FULL_PHOTO_ACCESS => $permission->grants_full_photo_access,
 						APC::GRANTS_DOWNLOAD => $permission->grants_download,
 						APC::GRANTS_UPLOAD => $permission->grants_upload,

app/Actions/Sharing/Share.php

@@ -17,14 +17,21 @@ class Share
 	 * Create an access permission from a resource.
 	 *
 	 * @param AccessPermissionResource $access_permission_resource
+	 * @param int|null                 $user_id
+	 * @param int|null                 $user_group_id
 	 * @param string                   $base_album_id
 	 *
 	 * @return AccessPermission
 	 */
-	public function do(AccessPermissionResource $access_permission_resource, int $user_id, string $base_album_id): AccessPermission
-	{
+	public function do(
+		AccessPermissionResource $access_permission_resource,
+		string $base_album_id,
+		?int $user_id = null,
+		?int $user_group_id = null,
+	): AccessPermission {
 		$perm = new AccessPermission();
 		$perm->user_id = $user_id;
+		$perm->user_group_id = $user_group_id;
 		$perm->base_album_id = $base_album_id;
 		$perm->grants_full_photo_access = $access_permission_resource->grants_full_photo_access;
 		$perm->grants_download = $access_permission_resource->grants_download;
@@ -33,6 +40,7 @@ public function do(AccessPermissionResource $access_permission_resource, int $us
 		$perm->grants_delete = $access_permission_resource->grants_delete;
 		$perm->load('user');
 		$perm->load('album');
+		$perm->load('user_group');
 		$perm->save();
 
 		return $perm;

app/Contracts/Http/Requests/HasUserGroupIds.php

@@ -0,0 +1,17 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2025 LycheeOrg.
+ */
+
+namespace App\Contracts\Http\Requests;
+
+interface HasUserGroupIds
+{
+	/**
+	 * @return int[]
+	 */
+	public function userGroupIds(): array;
+}

app/Contracts/Http/Requests/RequestAttribute.php

@@ -14,6 +14,7 @@ class RequestAttribute
 
 	public const USER_ID_ATTRIBUTE = 'user_id';
 	public const USER_IDS_ATTRIBUTE = 'user_ids';
+	public const USER_GROUP_IDS_ATTRIBUTE = 'group_ids';
 
 	public const GROUP_ID = 'group_id';
 	public const NAME_ATTRIBUTE = 'name';

app/Http/Controllers/Gallery/SharingController.php

@@ -46,16 +46,35 @@ class SharingController extends Controller
 	public function create(AddSharingRequest $request, Share $share): array
 	{
 		// delete any already created.
-		AccessPermission::whereIn('user_id', $request->userIds())
-			->whereIn('base_album_id', $request->albumIds())
+		AccessPermission::whereIn('base_album_id', $request->albumIds())
+			->where(fn ($q) => $q->whereIn('user_id', $request->userIds())
+				->orWhereIn(APC::USER_GROUP_ID, $request->userGroupIds()))
 			->delete();
 
 		$access_permissions = [];
+
 		// Not optimal, but this is barely used, so who cares.
 		// A better approach would be to do a massive insert in a single SQL query from the cross product.
-		foreach ($request->userIds() as $user_id) {
-			foreach ($request->albumIds() as $album_id) {
-				$access_permissions[] = $share->do($request->permResource(), $user_id, $album_id);
+		foreach ($request->albumIds() as $album_id) {
+			foreach ($request->userIds() as $user_id) {
+				// Create a new sharing permission for each user and album combination.
+				// This is not optimal, but it is simple and works.
+				// A better approach would be to do a massive insert in a single SQL query from the cross product.
+				$access_permissions[] = $share->do(
+					access_permission_resource: $request->permResource(),
+					user_id: $user_id,
+					base_album_id: $album_id
+				);
+			}
+			foreach ($request->userGroupIds() as $user_group_id) {
+				// Create a new sharing permission for each user group and album combination.
+				// This is not optimal, but it is simple and works.
+				// A better approach would be to do a massive insert in a single SQL query from the cross product.
+				$access_permissions[] = $share->do(
+					access_permission_resource: $request->permResource(),
+					user_group_id: $user_group_id,
+					base_album_id: $album_id
+				);
 			}
 		}
 
@@ -92,9 +111,10 @@ public function edit(EditSharingRequest $request): AccessPermissionResource
 	 */
 	public function list(ListSharingRequest $request): Collection
 	{
-		$query = AccessPermission::with(['album', 'user']);
-		$query = $query->whereNotNull(APC::USER_ID);
+		$query = AccessPermission::with(['album', 'user', 'user_group']);
 		$query = $query->where(APC::BASE_ALBUM_ID, '=', $request->album()->id);
+		$query = $query->where(fn ($q) => $q->whereNotNull(APC::USER_ID)
+			->orWhereNotNull(APC::USER_GROUP_ID));
 
 		return AccessPermissionResource::collect($query->get());
 	}
@@ -108,12 +128,14 @@ public function list(ListSharingRequest $request): Collection
 	 */
 	public function listAll(ListAllSharingRequest $request): Collection
 	{
-		$query = AccessPermission::with(['album', 'user']);
+		$query = AccessPermission::with(['album', 'user', 'user_group']);
 		$query = $query->when(
 			!Auth::user()->may_administrate,
 			fn ($q) => $q->whereIn('base_album_id', BaseAlbumImpl::select('id')
-						->where('owner_id', '=', Auth::id())));
-		$query = $query->whereNotNull('user_id');
+				->where('owner_id', '=', Auth::id()))
+		);
+		$query = $query->whereNotNull(APC::USER_ID);
+		$query = $query->orWhereNotNull(APC::USER_GROUP_ID);
 		$query = $query->orderBy('base_album_id', 'asc');
 
 		return AccessPermissionResource::collect($query->get());
@@ -134,10 +156,12 @@ public function listAlbums(ListAllSharingRequest $request, ListAlbums $list_albu
 			$owner_id = $user->id;
 		}
 
-		return TargetAlbumResource::collect($list_albums->do(
-			albums_filtering: resolve(Collection::class),
-			parent_id: null,
-			owner_id: $owner_id)
+		return TargetAlbumResource::collect(
+			$list_albums->do(
+				albums_filtering: resolve(Collection::class),
+				parent_id: null,
+				owner_id: $owner_id
+			)
 		);
 	}
 
@@ -173,4 +197,4 @@ public function propagate(PropagateSharingRequest $request, Propagate $propagate
 			$propagate->update($album);
 		}
 	}
-}
+}

app/Http/Requests/Sharing/AddSharingRequest.php

@@ -16,12 +16,14 @@
 use App\Http\Requests\BaseApiRequest;
 use App\Http\Requests\Traits\HasAccessPermissionResourceTrait;
 use App\Http\Requests\Traits\HasAlbumIdsTrait;
+use App\Http\Requests\Traits\HasUserGroupIdsTrait;
 use App\Http\Requests\Traits\HasUserIdsTrait;
 use App\Http\Resources\Models\AccessPermissionResource;
 use App\Policies\AlbumPolicy;
 use App\Rules\IntegerIDRule;
 use App\Rules\RandomIDRule;
 use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
 
 /**
  * Represents a request for setting the shares of specific albums.
@@ -32,6 +34,7 @@ class AddSharingRequest extends BaseApiRequest implements HasAlbumIds, HasUserId
 {
 	use HasAlbumIdsTrait;
 	use HasUserIdsTrait;
+	use HasUserGroupIdsTrait;
 	use HasAccessPermissionResourceTrait;
 
 	/**
@@ -50,8 +53,10 @@ public function rules(): array
 		return [
 			RequestAttribute::ALBUM_IDS_ATTRIBUTE => 'required|array|min:1',
 			RequestAttribute::ALBUM_IDS_ATTRIBUTE . '.*' => ['required', new RandomIDRule(false)],
-			RequestAttribute::USER_IDS_ATTRIBUTE => 'required|array|min:1',
+			RequestAttribute::USER_IDS_ATTRIBUTE => 'present|array',
 			RequestAttribute::USER_IDS_ATTRIBUTE . '.*' => ['required', new IntegerIDRule(false)],
+			RequestAttribute::USER_GROUP_IDS_ATTRIBUTE => 'present|array',
+			RequestAttribute::USER_GROUP_IDS_ATTRIBUTE . '.*' => ['required', new IntegerIDRule(false)],
 			RequestAttribute::GRANTS_DOWNLOAD_ATTRIBUTE => ['required', 'boolean'],
 			RequestAttribute::GRANTS_FULL_PHOTO_ACCESS_ATTRIBUTE => ['required', 'boolean'],
 			RequestAttribute::GRANTS_UPLOAD_ATTRIBUTE => ['required', 'boolean'],
@@ -67,6 +72,13 @@ protected function processValidatedValues(array $values, array $files): void
 	{
 		$this->album_ids = $values[RequestAttribute::ALBUM_IDS_ATTRIBUTE];
 		$this->user_ids = $values[RequestAttribute::USER_IDS_ATTRIBUTE];
+		$this->user_group_ids = $values[RequestAttribute::USER_GROUP_IDS_ATTRIBUTE];
+
+		if ($this->user_ids === [] && $this->user_group_ids === []) {
+			// If no users or groups are specified, we do not create a permission.
+			throw new ValidationException('You must specify at least one user or group to share with.', 422);
+		}
+
 		$this->perm_resource = new AccessPermissionResource(
 			grants_edit: static::toBoolean($values[RequestAttribute::GRANTS_EDIT_ATTRIBUTE]),
 			grants_delete: static::toBoolean($values[RequestAttribute::GRANTS_DELETE_ATTRIBUTE]),

app/Http/Requests/Sharing/EditSharingRequest.php

@@ -64,7 +64,7 @@ protected function processValidatedValues(array $values, array $files): void
 	{
 		/** @var int $id */
 		$id = $values[RequestAttribute::PERMISSION_ID];
-		$this->perm = AccessPermission::with(['album', 'user'])->findOrFail($id);
+		$this->perm = AccessPermission::with(['album', 'user', 'user_group'])->findOrFail($id);
 
 		$this->perm_resource = new AccessPermissionResource(
 			grants_edit: static::toBoolean($values[RequestAttribute::GRANTS_EDIT_ATTRIBUTE]),

app/Http/Requests/Traits/HasUserGroupIdsTrait.php

@@ -0,0 +1,25 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2025 LycheeOrg.
+ */
+
+namespace App\Http\Requests\Traits;
+
+trait HasUserGroupIdsTrait
+{
+	/**
+	 * @var array<int,int>
+	 */
+	protected array $user_group_ids = [];
+
+	/**
+	 * @return array<int,int>
+	 */
+	public function userGroupIds(): array
+	{
+		return $this->user_group_ids;
+	}
+}

app/Http/Resources/Models/AccessPermissionResource.php

@@ -18,7 +18,9 @@ class AccessPermissionResource extends Data
 	public function __construct(
 		public ?int $id = null,
 		public ?int $user_id = null,
+		public ?int $user_group_id = null,
 		public ?string $username = null,
+		public ?string $user_group_name = null,
 		public ?string $album_title = null,
 		public ?string $album_id = null,
 		public bool $grants_full_photo_access = false,
@@ -33,8 +35,10 @@ public static function fromModel(AccessPermission $access_permission): AccessPer
 	{
 		return new AccessPermissionResource(
 			id: $access_permission->id,
-			user_id: $access_permission->user_id,
-			username: $access_permission->user->name,
+			user_id: $access_permission->user?->id,
+			username: $access_permission->user?->name,
+			user_group_id: $access_permission->user_group?->id,
+			user_group_name: $access_permission->user_group?->name,
 			album_title: $access_permission->album->title,
 			album_id: $access_permission->base_album_id,
 			grants_full_photo_access: $access_permission->grants_full_photo_access,

app/Models/AccessPermission.php

@@ -73,6 +73,7 @@ class AccessPermission extends Model
 		'created_at' => 'datetime',
 		'updated_at' => 'datetime',
 		APC::USER_ID => 'integer',
+		APC::USER_GROUP_ID => 'integer',
 		APC::IS_LINK_REQUIRED => 'boolean',
 		APC::GRANTS_FULL_PHOTO_ACCESS => 'boolean',
 		APC::GRANTS_DOWNLOAD => 'boolean',
@@ -86,6 +87,7 @@ class AccessPermission extends Model
 	 */
 	protected $fillable = [
 		APC::USER_ID,
+		APC::USER_GROUP_ID,
 		APC::BASE_ALBUM_ID,
 		APC::IS_LINK_REQUIRED,
 		APC::GRANTS_FULL_PHOTO_ACCESS,

app/Models/User.php

@@ -120,6 +120,14 @@ class User extends Authenticatable implements WebAuthnAuthenticatable
 
 	protected $hidden = [];
 
+	/**
+	 * We always want to load the user groups when loading a user.
+	 * So that we can use the groups to determine the permissions without having to do intersection in the db.
+	 *
+	 * Furthermore, that way it is also provided when using Auth::user()
+	 *
+	 * @var list<string>
+	 */
 	protected $with = [
 		'user_groups',
 	];

resources/js/lychee.d.ts

@@ -334,7 +334,9 @@ declare namespace App.Http.Resources.Models {
 	export type AccessPermissionResource = {
 		id: number | null;
 		user_id: number | null;
+		user_group_id: number | null;
 		username: string | null;
+		user_group_name: string | null;
 		album_title: string | null;
 		album_id: string | null;
 		grants_full_photo_access: boolean;

tests/Feature_v2/Album/SharingTest.php

@@ -88,6 +88,7 @@ public function testUserGet(): void
 
 		$response = $this->actingAs($this->userMayUpload2)->postJson('Sharing', [
 			'user_ids' => [$this->userMayUpload1->id],
+			'group_ids' => [],
 			'album_ids' => [$this->album2->id],
 			'grants_edit' => true,
 			'grants_delete' => true,
@@ -141,8 +142,8 @@ public function testUpdate(): void
 			'shall_override' => false,
 		]);
 		$this->assertNoContent($response);
-		self::assertEquals(1, AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->count());
-		$perm = AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->first();
+		self::assertEquals(2, AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->count());
+		$perm = AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->whereNull(APC::USER_GROUP_ID)->first();
 
 		// Update the permission with false
 		$response = $this->actingAs($this->userMayUpload1)->patchJson('Sharing', [
@@ -156,7 +157,7 @@ public function testUpdate(): void
 		$this->assertOk($response);
 
 		// Verify the permission
-		$perm = AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->first();
+		$perm = AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->whereNull(APC::USER_GROUP_ID)->first();
 		self::assertFalse($perm->grants_edit);
 		self::assertFalse($perm->grants_delete);
 		self::assertFalse($perm->grants_download);
@@ -170,10 +171,10 @@ public function testUpdate(): void
 		]);
 		$this->assertNoContent($response);
 		// Verify the count is still 1.
-		self::assertEquals(1, AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->count());
+		self::assertEquals(2, AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->count());
 
 		// Verify the permission
-		$perm = AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->first();
+		$perm = AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->whereNull(APC::USER_GROUP_ID)->first();
 		self::assertTrue($perm->grants_edit);
 		self::assertTrue($perm->grants_delete);
 		self::assertTrue($perm->grants_download);
@@ -186,6 +187,7 @@ public function testOverride(): void
 		// Set up the permission in subSlbum
 		$response = $this->actingAs($this->userMayUpload1)->postJson('Sharing', [
 			'user_ids' => [$this->userLocked->id],
+			'group_ids' => [],
 			'album_ids' => [$this->subAlbum1->id],
 			'grants_edit' => true,
 			'grants_delete' => true,
@@ -198,6 +200,7 @@ public function testOverride(): void
 
 		$response = $this->actingAs($this->userMayUpload1)->postJson('Sharing', [
 			'user_ids' => [$this->userNoUpload->id],
+			'group_ids' => [],
 			'album_ids' => [$this->album1->id],
 			'grants_edit' => true,
 			'grants_delete' => true,