From 0e09eee673435662c616b0f921cdc02619001c1e Mon Sep 17 00:00:00 2001
From: Timo Volkmann <git@timovolkmann.de>
Date: Thu, 14 Oct 2021 10:40:57 +0200
Subject: [PATCH] UI: Add permission checks (photos) and refactor acl
 evaluation for public mode #98

---
 frontend/src/app.js                        | 21 ++++++++--
 frontend/src/common/acl.js                 | 26 +-----------
 frontend/src/component/navigation.vue      | 12 +++---
 frontend/src/component/photo/cards.vue     |  7 ++--
 frontend/src/component/photo/clipboard.vue |  8 ++--
 frontend/src/component/photo/list.vue      |  6 +--
 frontend/src/component/photo/mosaic.vue    |  8 ++--
 frontend/src/component/photo/toolbar.vue   |  2 +-
 frontend/src/component/photo/viewer.vue    |  4 +-
 frontend/src/dialog/photo/details.vue      |  4 +-
 frontend/src/dialog/photo/info.vue         |  8 ++++
 frontend/src/pages/albums.vue              |  2 +-
 frontend/src/routes.js                     | 48 ++++++++++------------
 internal/acl/actions.go                    |  1 +
 internal/api/batch.go                      |  4 +-
 15 files changed, 79 insertions(+), 82 deletions(-)

diff --git a/frontend/src/app.js b/frontend/src/app.js
index a2b61dc39..2c6993f44 100644
--- a/frontend/src/app.js
+++ b/frontend/src/app.js
@@ -57,7 +57,7 @@ import Hls from "hls.js";
 import "common/maptiler-lang";
 import { $gettext, Mount } from "common/vm";
 import * as offline from "@lcdp/offline-plugin/runtime";
-import Acl from "./common/acl";
+import Acl, { Constants } from "./common/acl";
 
 // Initialize helpers
 const viewer = new Viewer();
@@ -103,11 +103,26 @@ Vue.prototype.$earlyAccess = () => {
 
 Vue.mixin({
   data() {
-    return {};
+    return {
+      aclResources: Constants.resources,
+      aclActions: Constants.actions,
+    };
   },
   computed: {
     acl() {
-      return new Acl(window.__CONFIG__.acl);
+      return new Acl(this.$config.values.acl);
+      // return new Acl(window.__CONFIG__.acl);
+    },
+  },
+  methods: {
+    hasPermission(resource, action) {
+      console.log(this.$config.values);
+      if (this.$config.values.public) return true;
+      // let acl = new Acl(window.__CONFIG__.acl);
+      console.log(`USER: ${this.$session.getUser().UserName}`);
+      console.log(this.$session.getUser());
+      console.log(`ROLE: ${this.$session.getUser().getRole()}`);
+      return this.acl.accessAllowed(this.$session.getUser().getRole(), resource, action);
     },
   },
 });
diff --git a/frontend/src/common/acl.js b/frontend/src/common/acl.js
index 1207e4745..ea06bae15 100644
--- a/frontend/src/common/acl.js
+++ b/frontend/src/common/acl.js
@@ -23,6 +23,7 @@ export const Constants = {
     ActionUpdate: "update",
     ActionUpdateSelf: "update-self",
     ActionDelete: "delete",
+    ActionArchive: "archive",
     ActionPrivate: "private",
     ActionUpload: "upload",
     ActionDownload: "download",
@@ -68,14 +69,9 @@ export default class Acl {
   }
   accessAllowed(role, resource, action) {
     if (!this.acl) return false;
-    console.log("resource: ", resource);
-    console.log("role: ", role);
-    console.log("action: ", action);
     let res;
     if (!this.acl[resource]) {
-      console.log("resource not found");
       if (!this.acl[Constants.resources.ResourceDefault]) return false;
-      console.log("using default resource");
       res = this.acl[Constants.resources.ResourceDefault];
     } else {
       res = this.acl[resource];
@@ -83,9 +79,7 @@ export default class Acl {
 
     let rol;
     if (!res[role]) {
-      console.log("role not found");
       if (!res[Constants.roles.RoleDefault]) return false;
-      console.log("using default role");
       rol = res[Constants.roles.RoleDefault];
     } else {
       rol = res[role];
@@ -93,32 +87,14 @@ export default class Acl {
 
     let act;
     if (!rol[action]) {
-      console.log("action not found");
       if (!rol[Constants.actions.ActionDefault]) return false;
-      console.log("using default action");
       act = rol[Constants.actions.ActionDefault];
     } else {
       act = rol[action];
     }
-    console.log("Result: ", act);
     return act;
   }
   accessAllowedAny(role, resource, ...actions) {
-    // let result = false;
-    // for (const a in actions) {
-    //   result = result || this.accessAllowed(role, resource, a);
-    // }
-    // return result;
-    // return actions.reduce((accumulator, action) => {
-    //   return accumulator || this.accessAllowed(role, resource, action);
-    // });
-    // for (const a in actions) {
-    //   if (this.accessAllowed(role, resource, a)) return true;
-    // }
-    // return false;
     return actions.some((action) => this.accessAllowed(role, resource, action));
   }
-  getConstants() {
-    return Constants;
-  }
 }
diff --git a/frontend/src/component/navigation.vue b/frontend/src/component/navigation.vue
index 0893e04e2..e4a2fed2e 100644
--- a/frontend/src/component/navigation.vue
+++ b/frontend/src/component/navigation.vue
@@ -116,7 +116,7 @@
             </v-list-tile-content>
           </v-list-tile>
 
-          <v-list-tile v-if="$config.feature('review') && this.acl.accessAllowed(session.getUser().getRole(), this.acl.getConstants().resources.ResourceReview, this.acl.getConstants().actions.ActionRead)" to="/review" class="nav-review"
+          <v-list-tile v-if="$config.feature('review') && hasPermission(aclResources.ResourceReview, aclActions.ActionRead)" to="/review" class="nav-review"
                        @click.stop="">
             <v-list-tile-content>
               <v-list-tile-title :class="`menu-item ${rtl ? '--rtl' : ''}`">
@@ -126,7 +126,7 @@
             </v-list-tile-content>
           </v-list-tile>
 
-          <v-list-tile v-show="$config.feature('archive') && this.acl.accessAllowed(session.getUser().getRole(), this.acl.getConstants().resources.ResourceArchive, this.acl.getConstants().actions.ActionRead)" to="/archive" class="nav-archive" @click.stop="">
+          <v-list-tile v-show="$config.feature('archive') && hasPermission(aclResources.ResourceArchive, aclActions.ActionRead)" to="/archive" class="nav-archive" @click.stop="">
             <v-list-tile-content>
               <v-list-tile-title :class="`menu-item ${rtl ? '--rtl' : ''}`">
                 <translate>Archive</translate>
@@ -301,7 +301,7 @@
           </v-list-tile-content>
         </v-list-tile>
 
-        <v-list-tile v-show="$config.feature('private') && this.acl.accessAllowed(session.getUser().getRole(), this.acl.getConstants().resources.ResourcePrivate, this.acl.getConstants().actions.ActionRead)" to="/private" class="nav-private" @click.stop="">
+        <v-list-tile v-show="$config.feature('private') && hasPermission(aclResources.ResourcePrivate, aclActions.ActionRead)" to="/private" class="nav-private" @click.stop="">
           <v-list-tile-action :title="$gettext('Private')">
             <v-icon>lock</v-icon>
           </v-list-tile-action>
@@ -314,7 +314,7 @@
           </v-list-tile-content>
         </v-list-tile>
 
-        <v-list-tile v-if="isMini && $config.feature('library') && this.acl.accessAllowed(session.getUser().getRole(), this.acl.getConstants().resources.ResourceLibrary, this.acl.getConstants().actions.ActionRead)" to="/library" class="nav-library" @click.stop="">
+        <v-list-tile v-if="isMini && $config.feature('library') && hasPermission(aclResources.ResourceLibrary, aclActions.ActionRead)" to="/library" class="nav-library" @click.stop="">
           <v-list-tile-action :title="$gettext('Library')">
             <v-icon>camera_roll</v-icon>
           </v-list-tile-action>
@@ -326,7 +326,7 @@
           </v-list-tile-content>
         </v-list-tile>
 
-        <v-list-group v-if="!isMini && $config.feature('library') && this.acl.accessAllowed(session.getUser().getRole(), this.acl.getConstants().resources.ResourceLibrary, this.acl.getConstants().actions.ActionRead)" prepend-icon="camera_roll" no-action>
+        <v-list-group v-if="!isMini && $config.feature('library') && hasPermission(aclResources.ResourceLibrary, aclActions.ActionRead)" prepend-icon="camera_roll" no-action>
           <template #activator>
             <v-list-tile to="/library" class="nav-library" @click.stop="">
               <v-list-tile-content>
@@ -364,7 +364,7 @@
           </v-list-tile>
         </v-list-group>
 
-        <template v-if="!config.disable.settings && this.acl.accessAllowed(session.getUser().getRole(), this.acl.getConstants().resources.ResourceSettings, this.acl.getConstants().actions.ActionRead)">
+        <template v-if="!config.disable.settings && hasPermission(aclResources.ResourceSettings, aclActions.ActionRead)">
           <v-list-tile v-if="isMini" to="/settings" class="nav-settings" @click.stop="">
             <v-list-tile-action :title="$gettext('Settings')">
               <v-icon>settings</v-icon>
diff --git a/frontend/src/component/photo/cards.vue b/frontend/src/component/photo/cards.vue
index 347241870..652736b1d 100644
--- a/frontend/src/component/photo/cards.vue
+++ b/frontend/src/component/photo/cards.vue
@@ -83,7 +83,7 @@
               <v-icon color="white" class="action-play">play_arrow</v-icon>
             </v-btn>
 
-            <v-btn v-if="hidePrivate" :ripple="false"
+            <v-btn v-if="hidePrivate && hasPermission(aclResources.ResourcePhotos, aclActions.ActionPrivate)" :ripple="false"
                    icon flat absolute
                    class="input-private">
               <v-icon color="white" class="select-on">lock</v-icon>
@@ -104,9 +104,10 @@
                    icon flat absolute
                    class="input-favorite"
                    @touchstart.stop.prevent="input.touchStart($event, index)"
-                   @touchend.stop.prevent="toggleLike($event, index)"
+                   @touchend.stop.prevent="hasPermission(aclResources.ResourcePhotos, aclActions.ActionLike) && toggleLike($event, index)"
                    @touchmove.stop.prevent
-                   @click.stop.prevent="toggleLike($event, index)">
+                   @click.stop.prevent="hasPermission(aclResources.ResourcePhotos, aclActions.ActionLike) && toggleLike($event, index)"
+            >
               <v-icon color="white" class="select-on">favorite</v-icon>
               <v-icon color="white" class="select-off">favorite_border</v-icon>
             </v-btn>
diff --git a/frontend/src/component/photo/clipboard.vue b/frontend/src/component/photo/clipboard.vue
index 46d91f98e..d7f27e6d5 100644
--- a/frontend/src/component/photo/clipboard.vue
+++ b/frontend/src/component/photo/clipboard.vue
@@ -57,7 +57,7 @@
           <v-icon>edit</v-icon>
         </v-btn>
         <v-btn
-            v-if="context !== 'archive' && features.private" fab dark
+            v-if="context !== 'archive' && features.private && hasPermission(aclResources.ResourcePhotos, aclActions.ActionPrivate)" fab dark
             small
             :title="$gettext('Change private flag')"
             color="private"
@@ -89,7 +89,7 @@
           <v-icon>bookmark</v-icon>
         </v-btn>
         <v-btn
-            v-if="!isAlbum && context !== 'archive' && features.archive" fab dark
+            v-if="!isAlbum && context !== 'archive' && features.archive && hasPermission(aclResources.ResourcePhotos, aclActions.ActionArchive)" fab dark
             small
             color="remove"
             :title="$gettext('Archive')"
@@ -100,7 +100,7 @@
           <v-icon>archive</v-icon>
         </v-btn>
         <v-btn
-            v-if="!album && context === 'archive'" fab dark
+            v-if="!album && context === 'archive' && hasPermission(aclResources.ResourcePhotos, aclActions.ActionArchive)" fab dark
             small
             color="restore"
             :title="$gettext('Restore')"
@@ -122,7 +122,7 @@
           <v-icon>eject</v-icon>
         </v-btn>
         <v-btn
-            v-if="!album && context === 'archive' && features.delete" fab dark
+            v-if="!album && context === 'archive' && features.delete && hasPermission(aclResources.ResourcePhotos, aclActions.ActionDelete)" fab dark
             small
             :title="$gettext('Delete')"
             color="remove"
diff --git a/frontend/src/component/photo/list.vue b/frontend/src/component/photo/list.vue
index ab80b4366..7b9a757ec 100644
--- a/frontend/src/component/photo/list.vue
+++ b/frontend/src/component/photo/list.vue
@@ -93,13 +93,13 @@
                 </span>
         </td>
         <td class="text-xs-center">
-          <v-btn v-if="hidePrivate" class="input-private" icon small flat :ripple="false"
+          <v-btn v-if="hidePrivate" class="input-private" icon small flat :ripple="false" :disabled="!hasPermission(aclResources.ResourcePhotos, aclActions.ActionPrivate)"
                  :data-uid="props.item.UID" @click.stop.prevent="props.item.togglePrivate()">
             <v-icon v-if="props.item.Private" color="secondary-dark" class="select-on">lock</v-icon>
             <v-icon v-else color="secondary" class="select-off">lock_open</v-icon>
           </v-btn>
-          <v-btn class="input-like" icon small flat :ripple="false"
-                 :data-uid="props.item.UID" @click.stop.prevent="props.item.toggleLike()">
+          <v-btn class="input-like" icon small flat :ripple="false" :disabled="!hasPermission(aclResources.ResourcePhotos, aclActions.ActionLike)"
+                 :data-uid="props.item.UID" @click.stop.prevent="hasPermission(aclResources.ResourcePhotos, aclActions.ActionLike) && props.item.toggleLike()">
             <v-icon v-if="props.item.Favorite" color="pink lighten-3" :data-uid="props.item.UID" class="select-on">
               favorite
             </v-icon>
diff --git a/frontend/src/component/photo/mosaic.vue b/frontend/src/component/photo/mosaic.vue
index 7d4db33f5..8e40dff07 100644
--- a/frontend/src/component/photo/mosaic.vue
+++ b/frontend/src/component/photo/mosaic.vue
@@ -82,7 +82,7 @@
               <v-icon color="white" class="action-play">play_arrow</v-icon>
             </v-btn>
 
-            <v-btn v-if="hidePrivate" :ripple="false"
+            <v-btn v-if="hidePrivate && hasPermission(aclResources.ResourcePhotos, aclActions.ActionPrivate)" :ripple="false"
                    icon flat small absolute
                    class="input-private">
               <v-icon color="white" class="select-on">lock</v-icon>
@@ -103,9 +103,9 @@
                    icon flat small absolute
                    class="input-favorite"
                    @touchstart.stop.prevent="input.touchStart($event, index)"
-                   @touchend.stop.prevent="toggleLike($event, index)"
+                   @touchend.stop.prevent="hasPermission(aclResources.ResourcePhotos, aclActions.ActionLike) && toggleLike($event, index)"
                    @touchmove.stop.prevent
-                   @click.stop.prevent="toggleLike($event, index)">
+                   @click.stop.prevent="hasPermission(aclResources.ResourcePhotos, aclActions.ActionLike) && toggleLike($event, index)">
               <v-icon color="white" class="select-on">favorite</v-icon>
               <v-icon color="white" class="select-off">favorite_border</v-icon>
             </v-btn>
@@ -220,7 +220,7 @@ export default {
     },
     selectRange(index) {
       this.$clipboard.addRange(index, this.photos);
-    }
+    },
   },
 };
 </script>
diff --git a/frontend/src/component/photo/toolbar.vue b/frontend/src/component/photo/toolbar.vue
index 9059c21cb..a1f814c26 100644
--- a/frontend/src/component/photo/toolbar.vue
+++ b/frontend/src/component/photo/toolbar.vue
@@ -28,7 +28,7 @@
         <v-icon>view_column</v-icon>
       </v-btn>
 
-      <v-btn v-if="!$config.values.readonly && $config.feature('upload')" icon class="hidden-sm-and-down action-upload"
+      <v-btn v-if="!$config.values.readonly && $config.feature('upload') && hasPermission(aclResources.ResourcePhotos, aclActions.ActionUpload)" icon class="hidden-sm-and-down action-upload"
              :title="$gettext('Upload')" @click.stop="showUpload()">
         <v-icon>cloud_upload</v-icon>
       </v-btn>
diff --git a/frontend/src/component/photo/viewer.vue b/frontend/src/component/photo/viewer.vue
index d223f7cea..185c49bdb 100644
--- a/frontend/src/component/photo/viewer.vue
+++ b/frontend/src/component/photo/viewer.vue
@@ -33,7 +33,7 @@
             <v-icon v-else size="16" color="white">radio_button_off</v-icon>
           </button>
 
-          <button class="pswp__button action-like hidden-shared-only" style="background: none;"
+          <button v-if="hasPermission(aclResources.ResourcePhotos, aclActions.ActionLike)" class="pswp__button action-like hidden-shared-only" style="background: none;"
                   :title="$gettext('Like')" @click.exact="onLike">
             <v-icon v-if="item.favorite" size="16" color="white">favorite</v-icon>
             <v-icon v-else size="16" color="white">favorite_border</v-icon>
@@ -255,7 +255,7 @@ export default {
       g.close(); // Close Gallery
 
       Event.publish("dialog.edit", {selection, album, index}); // Open Edit Dialog
-    }
+    },
   }
 };
 </script>
diff --git a/frontend/src/dialog/photo/details.vue b/frontend/src/dialog/photo/details.vue
index 3d3c1b38c..cbb580378 100644
--- a/frontend/src/dialog/photo/details.vue
+++ b/frontend/src/dialog/photo/details.vue
@@ -422,7 +422,6 @@ export default {
   },
   data() {
     return {
-      disabled: !this.$config.feature("edit"),
       config: this.$config.values,
       all: {
         colors: [{label: this.$gettext("Unknown"), name: ""}],
@@ -446,6 +445,9 @@ export default {
     lensOptions() {
       return this.config.lenses;
     },
+    disabled() {
+      return !this.$config.feature("edit") || !this.hasPermission(this.aclResources.ResourcePhotos, this.aclActions.ActionUpdate);
+    }
   },
   watch: {
     model() {
diff --git a/frontend/src/dialog/photo/info.vue b/frontend/src/dialog/photo/info.vue
index b6e8f9aa4..bf57da2b0 100644
--- a/frontend/src/dialog/photo/info.vue
+++ b/frontend/src/dialog/photo/info.vue
@@ -18,6 +18,7 @@
           </td>
           <td>
             <v-select
+                :disabled="!hasPermission(aclResources.ResourcePhotos, aclActions.ActionUpdate)"
                 v-model="model.Type"
                 flat solo
                 browser-autocomplete="off"
@@ -47,6 +48,7 @@
           </td>
           <td>
             <v-text-field
+                :disabled="!hasPermission(aclResources.ResourcePhotos, aclActions.ActionUpdate)"
                 v-model="model.OriginalName"
                 flat solo dense hide-details color="secondary-dark"
                 @change="save"
@@ -100,6 +102,7 @@
           </td>
           <td>
             <v-switch
+                :disabled="!hasPermission(aclResources.ResourcePhotos, aclActions.ActionUpdate)"
                 v-model="model.Stack"
                 hide-details
                 class="input-stackable"
@@ -116,6 +119,7 @@
           </td>
           <td>
             <v-switch
+                :disabled="!hasPermission(aclResources.ResourcePhotos, aclActions.ActionLike)"
                 v-model="model.Favorite"
                 hide-details
                 class="input-favorite"
@@ -130,6 +134,7 @@
           </td>
           <td>
             <v-switch
+                :disabled="!hasPermission(aclResources.ResourcePhotos, aclActions.ActionPrivate)"
                 v-model="model.Private"
                 hide-details
                 class="input-private"
@@ -144,6 +149,7 @@
           </td>
           <td>
             <v-switch
+                :disabled="!hasPermission(aclResources.ResourcePhotos, aclActions.ActionUpdate)"
                 v-model="model.Scan"
                 hide-details
                 class="input-scan"
@@ -158,6 +164,7 @@
           </td>
           <td>
             <v-switch
+                :disabled="!hasPermission(aclResources.ResourcePhotos, aclActions.ActionUpdate)"
                 v-model="model.Panorama"
                 hide-details
                 class="input-panorama"
@@ -205,6 +212,7 @@
           </td>
           <td>
             <v-text-field
+                :disabled="!hasPermission(aclResources.ResourcePhotos, aclActions.ActionUpdate)"
                 v-model="model.CellAccuracy"
                 flat solo dense hide-details color="secondary-dark"
                 type="number"
diff --git a/frontend/src/pages/albums.vue b/frontend/src/pages/albums.vue
index da2bcd5a5..6498bbcb9 100644
--- a/frontend/src/pages/albums.vue
+++ b/frontend/src/pages/albums.vue
@@ -34,7 +34,7 @@
           <v-icon>refresh</v-icon>
         </v-btn>
 
-        <v-btn v-if="!$config.values.readonly && $config.feature('upload')" icon class="hidden-sm-and-down action-upload"
+        <v-btn v-if="!$config.values.readonly && $config.feature('upload') && hasPermission(aclResources.ResourcePhotos, aclActions.ActionUpload)" icon class="hidden-sm-and-down action-upload"
                :title="$gettext('Upload')" @click.stop="showUpload()">
           <v-icon>cloud_upload</v-icon>
         </v-btn>
diff --git a/frontend/src/routes.js b/frontend/src/routes.js
index f344daaa7..c19a69d8d 100644
--- a/frontend/src/routes.js
+++ b/frontend/src/routes.js
@@ -53,10 +53,17 @@ const c = window.__CONFIG__;
 const appName = c.name;
 const siteTitle = c.siteTitle ? c.siteTitle : c.name;
 
-const acl = () => new Acl(window.__CONFIG__.acl);
 const aclActions = Constants.actions;
 const aclResources = Constants.resources;
 
+const hasPermission = (resource, action) => {
+  if (config.values.public) return true;
+  // const acl = new Acl(window.__CONFIG__.acl);
+  const acl = new Acl(config.values.acl);
+  const userrole = session.getUser().getRole();
+  return acl.accessAllowed(userrole, resource, action);
+};
+
 export default [
   {
     name: "home",
@@ -200,8 +207,7 @@ export default [
     meta: { title: $gettext("Review"), auth: true },
     props: { staticFilter: { review: true } },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourceReview, aclActions.ActionRead)) {
+      if (hasPermission(aclResources.ResourceReview, aclActions.ActionRead)) {
         next();
       } else {
         next({ name: "home" });
@@ -215,8 +221,7 @@ export default [
     meta: { title: $gettext("Private"), auth: true },
     props: { staticFilter: { private: true } },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourcePrivate, aclActions.ActionRead)) {
+      if (hasPermission(aclResources.ResourcePrivate, aclActions.ActionRead)) {
         next();
       } else {
         next({ name: "home" });
@@ -230,8 +235,7 @@ export default [
     meta: { title: $gettext("Archive"), auth: true },
     props: { staticFilter: { archived: true } },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourceArchive, aclActions.ActionRead)) {
+      if (hasPermission(aclResources.ResourceArchive, aclActions.ActionRead)) {
         next();
       } else {
         next({ name: "home" });
@@ -269,8 +273,7 @@ export default [
     component: Files,
     meta: { title: $gettext("File Browser"), auth: true },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourceLibrary, aclActions.ActionRead)) {
+      if (hasPermission(aclResources.ResourceLibrary, aclActions.ActionRead)) {
         next();
       } else {
         next({ name: "home" });
@@ -284,8 +287,7 @@ export default [
     meta: { title: $gettext("Hidden Files"), auth: true },
     props: { staticFilter: { hidden: true } },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourceLibrary, aclActions.ActionRead)) {
+      if (hasPermission(aclResources.ResourceLibrary, aclActions.ActionRead)) {
         next();
       } else {
         next({ name: "home" });
@@ -298,8 +300,7 @@ export default [
     component: Errors,
     meta: { title: appName, auth: true },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourceLibrary, aclActions.ActionRead)) {
+      if (hasPermission(aclResources.ResourceLibrary, aclActions.ActionRead)) {
         next();
       } else {
         next({ name: "home" });
@@ -345,8 +346,7 @@ export default [
     meta: { title: $gettext("Library"), auth: true, background: "application-light" },
     props: { tab: "library-index" },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourceLibrary, aclActions.ActionRead)) {
+      if (hasPermission(aclResources.ResourceLibrary, aclActions.ActionRead)) {
         next();
       } else {
         next({ name: "home" });
@@ -360,8 +360,7 @@ export default [
     meta: { title: $gettext("Library"), auth: true, background: "application-light" },
     props: { tab: "library-import" },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourceLibrary, aclActions.ActionRead)) {
+      if (hasPermission(aclResources.ResourceLibrary, aclActions.ActionRead)) {
         next();
       } else {
         next({ name: "home" });
@@ -375,8 +374,7 @@ export default [
     meta: { title: $gettext("Library"), auth: true, background: "application-light" },
     props: { tab: "library-logs" },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourceLibrary, aclActions.ActionRead)) {
+      if (hasPermission(aclResources.ResourceLibrary, aclActions.ActionRead)) {
         next();
       } else {
         next({ name: "home" });
@@ -395,8 +393,7 @@ export default [
     },
     props: { tab: "settings-general" },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourceSettings, aclActions.ActionRead)) {
+      if (hasPermission(aclResources.ResourceSettings, aclActions.ActionRead)) {
         next();
       } else {
         next({ name: "home" });
@@ -415,8 +412,7 @@ export default [
     },
     props: { tab: "settings-library" },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourceSettings, aclActions.ActionRead)) {
+      if (hasPermission(aclResources.ResourceSettings, aclActions.ActionRead)) {
         next();
       } else {
         next({ name: "home" });
@@ -435,8 +431,7 @@ export default [
     },
     props: { tab: "settings-sync" },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourceSettings, aclActions.ActionRead)) {
+      if (hasPermission(aclResources.ResourceSettings, aclActions.ActionRead)) {
         next();
       } else {
         next({ name: "home" });
@@ -454,8 +449,7 @@ export default [
     },
     props: { tab: "settings-account" },
     beforeEnter: (to, from, next) => {
-      const userrole = session.getUser().getRole();
-      if (acl().accessAllowed(userrole, aclResources.ResourceUsers, aclActions.ActionUpdateSelf)) {
+      if (hasPermission(aclResources.ResourceUsers, aclActions.ActionUpdateSelf)) {
         next();
       } else {
         next({ name: "home" });
diff --git a/internal/acl/actions.go b/internal/acl/actions.go
index f009664a9..30b538c66 100644
--- a/internal/acl/actions.go
+++ b/internal/acl/actions.go
@@ -11,6 +11,7 @@ const (
 	ActionUpdate     Action = "update"
 	ActionUpdateSelf Action = "update-self"
 	ActionDelete     Action = "delete"
+	ActionArchive    Action = "archive" // includes restore
 	ActionPrivate    Action = "private"
 	ActionUpload     Action = "upload"
 	ActionDownload   Action = "download"
diff --git a/internal/api/batch.go b/internal/api/batch.go
index 29a88a8ea..cefa86412 100644
--- a/internal/api/batch.go
+++ b/internal/api/batch.go
@@ -21,7 +21,7 @@ import (
 // POST /api/v1/batch/photos/archive
 func BatchPhotosArchive(router *gin.RouterGroup) {
 	router.POST("/batch/photos/archive", func(c *gin.Context) {
-		s := Auth(SessionID(c), acl.ResourcePhotos, acl.ActionDelete)
+		s := Auth(SessionID(c), acl.ResourcePhotos, acl.ActionArchive)
 
 		if s.Invalid() {
 			AbortUnauthorized(c)
@@ -84,7 +84,7 @@ func BatchPhotosArchive(router *gin.RouterGroup) {
 // POST /api/v1/batch/photos/restore
 func BatchPhotosRestore(router *gin.RouterGroup) {
 	router.POST("/batch/photos/restore", func(c *gin.Context) {
-		s := Auth(SessionID(c), acl.ResourcePhotos, acl.ActionDelete)
+		s := Auth(SessionID(c), acl.ResourcePhotos, acl.ActionArchive)
 
 		if s.Invalid() {
 			AbortUnauthorized(c)