merge: Enforce DM visibility in generateVisibilityQuery (!1108)

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/1108 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Marie <github@yuugi.dev>
2025-07-08 04:54:32 +00:00 · 2025-06-11 21:15:30 +00:00 · 2025-06-11 21:15:30 +00:00 · 791487c4df
commit 791487c4df
parent 8cf6f32869 8f5212e453
2 changed files with 11 additions and 10 deletions
--- a/packages/backend/src/core/QueryService.ts
+++ b/packages/backend/src/core/QueryService.ts
@ -157,15 +157,17 @@ export class QueryService {
 				qb
 					// My post
 					.orWhere(':meId = note.userId')
-					// Reply to me
-					.orWhere(':meId = note.replyUserId')
-					// DM to me
+					// Visible to me
 					.orWhere(':meIdAsList <@ note.visibleUserIds')
+					// Followers-only post
+					.orWhere(new Brackets(qb => qb
+						.andWhere(new Brackets(qbb => this
+							// Following author
+							.orFollowingUser(qbb, ':meId', 'note.userId')
 							// Mentions me
 							.orWhere(':meIdAsList <@ note.mentions')
-					// Followers-only post
-					.orWhere(new Brackets(qb => this
-						.andFollowingUser(qb, ':meId', 'note.userId')
+							// Reply to me
+							.orWhere(':meId = note.replyUserId')))
 						.andWhere('note.visibility = \'followers\'')));

 				q.setParameters({ meId: me.id, meIdAsList: [me.id] });
--- a/packages/backend/src/server/api/endpoints/notes/mentions.ts
+++ b/packages/backend/src/server/api/endpoints/notes/mentions.ts
@ -79,14 +79,13 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 						, 'source')
 						.innerJoin(MiNote, 'note', 'note.id = source.id');

-					// Mentioned or visible users can always access
-					//this.queryService.generateVisibilityQuery(query, me);
+					this.queryService.generateVisibilityQuery(qb, me);
 					this.queryService.generateBlockedHostQueryForNote(qb);
 					this.queryService.generateMutedUserQueryForNotes(qb, me);
 					this.queryService.generateMutedNoteThreadQuery(qb, me);
 					this.queryService.generateBlockedUserQueryForNotes(qb, me);
 					// A renote can't mention a user, so it will never appear here anyway.
-					//this.queryService.generateMutedUserRenotesQueryForNotes(query, me);
+					//this.queryService.generateMutedUserRenotesQueryForNotes(qb, me);

 					if (ps.visibility) {
 						qb.andWhere('note.visibility = :visibility', { visibility: ps.visibility });