Admin API key cannot delete assets owned by other users

[shamefulIguana8]

The bug

Hello, I am trying to delete some orphaned assets (due to docker volume weirdness, not because of an Immich bug) using the deleteAssets api.

When I send the request:

DELETE https://[immich]/api/asset

Headers: 
Content-Type: application/json
x-api-key: [admin api key]

Body:
{
  "force": true,
  "ids": [
    "[asset owned by non-admin user]"
  ]
}

I recieve:

{
  "message": "Not found or no asset.delete access",
  "error": "Bad Request",
  "statusCode": 400
}

If I use the asset owner's API key then it works and deletes the asset successfully.

The OS that Immich Server is running on

Fedora Linux 37 (Server Edition) x86_64, Docker version 24.0.7

Version of Immich Server

v1.93.3

Version of Immich Mobile App

N/A

Platform with the issue

• Server
• Web
• Mobile

Your docker-compose.yml content

N/A

Your .env content

N/A

Reproduction steps

Send a DELETE request to https://[immich]/api/asset
Use an admin api key
Include an asset UUID owned by a different user from the admin account
Get a 400 error

Additional information

I've tested this in python with the requests library as well as with curl

I doubt this is a big issue, but it's still an inconvenience when using a script to delete all the orphaned assets as you need an admin api key to get the list of orphans and then an api key from every user matched to the assets to be deleted... Or you can just try every user api key against every asset but its still a massive pain with multiple users. (Thankfully my IDP has impersonation so I can get the various api keys)

[bo0tzz]

This is as intended

[shamefulIguana8]

Okay, sorry for the waste of time. I couldn't find anything about it in the docs.

[aviv926]

This is as intended

I'm not sure how to do it from mobile but it might be worth converting it to a conversation (as answered/solved mark) until we add this information to the documentation.