From 27c27529f6b06374fed505ba87c6ee1165d23983 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Tue, 10 Jun 2025 19:52:47 -0400
Subject: [PATCH 1/2] enforce DM visibility in generateVisibilityQuery

---
 packages/backend/src/core/QueryService.ts | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/packages/backend/src/core/QueryService.ts b/packages/backend/src/core/QueryService.ts
index 4089fc080c..2d8ea51e65 100644
--- a/packages/backend/src/core/QueryService.ts
+++ b/packages/backend/src/core/QueryService.ts
@@ -157,15 +157,17 @@ export class QueryService {
 				qb
 					// My post
 					.orWhere(':meId = note.userId')
-					// Reply to me
-					.orWhere(':meId = note.replyUserId')
-					// DM to me
+					// Visible to me
 					.orWhere(':meIdAsList <@ note.visibleUserIds')
-					// Mentions me
-					.orWhere(':meIdAsList <@ note.mentions')
 					// Followers-only post
-					.orWhere(new Brackets(qb => this
-						.andFollowingUser(qb, ':meId', 'note.userId')
+					.orWhere(new Brackets(qb => qb
+						.andWhere(new Brackets(qbb => this
+							// Following author
+							.orFollowingUser(qbb, ':meId', 'note.userId')
+							// Mentions me
+							.orWhere(':meIdAsList <@ note.mentions')
+							// Reply to me
+							.orWhere(':meId = note.replyUserId')))
 						.andWhere('note.visibility = \'followers\'')));
 
 				q.setParameters({ meId: me.id, meIdAsList: [me.id] });

From 8f5212e453f7d20d1422fe5715e66d0b4a4610de Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Tue, 10 Jun 2025 19:56:36 -0400
Subject: [PATCH 2/2] enforce DM visibility in notes/mentions

---
 packages/backend/src/server/api/endpoints/notes/mentions.ts | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/packages/backend/src/server/api/endpoints/notes/mentions.ts b/packages/backend/src/server/api/endpoints/notes/mentions.ts
index a52f35cde6..f30e5a583f 100644
--- a/packages/backend/src/server/api/endpoints/notes/mentions.ts
+++ b/packages/backend/src/server/api/endpoints/notes/mentions.ts
@@ -79,14 +79,13 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 						, 'source')
 						.innerJoin(MiNote, 'note', 'note.id = source.id');
 
-					// Mentioned or visible users can always access
-					//this.queryService.generateVisibilityQuery(query, me);
+					this.queryService.generateVisibilityQuery(qb, me);
 					this.queryService.generateBlockedHostQueryForNote(qb);
 					this.queryService.generateMutedUserQueryForNotes(qb, me);
 					this.queryService.generateMutedNoteThreadQuery(qb, me);
 					this.queryService.generateBlockedUserQueryForNotes(qb, me);
 					// A renote can't mention a user, so it will never appear here anyway.
-					//this.queryService.generateMutedUserRenotesQueryForNotes(query, me);
+					//this.queryService.generateMutedUserRenotesQueryForNotes(qb, me);
 
 					if (ps.visibility) {
 						qb.andWhere('note.visibility = :visibility', { visibility: ps.visibility });