fix(api): 🚑 Correctly check visibility in timelines

2026-01-26 12:16:01 +01:00 · 2024-11-19 17:07:11 +01:00 · 2024-11-19 17:07:11 +01:00 · 653cf712ea
parent c20e6eb3b8
commit 653cf712ea
3 changed files with 30 additions and 4 deletions
--- a/api/api/v1/accounts/:id/statuses.ts
+++ b/api/api/v1/accounts/:id/statuses.ts
@ -2,7 +2,7 @@ import { apiRoute, applyConfig, auth, idValidator } from "@/api";
 import { createRoute } from "@hono/zod-openapi";
 import { Note, Timeline, User } from "@versia/kit/db";
 import { Notes, RolePermissions } from "@versia/kit/tables";
-import { and, eq, gt, gte, isNull, lt, sql } from "drizzle-orm";
+import { and, eq, gt, gte, inArray, isNull, lt, or, sql } from "drizzle-orm";
 import { z } from "zod";
 import { ErrorSchema } from "~/types/api";

@ -122,6 +122,15 @@ export default apiRoute((app) =>
                pinned
                    ? sql`EXISTS (SELECT 1 FROM "UserToPinnedNotes" WHERE "UserToPinnedNotes"."noteId" = ${Notes.id} AND "UserToPinnedNotes"."userId" = ${otherUser.id})`
                    : undefined,
+                // Visibility check
+                or(
+                    sql`EXISTS (SELECT 1 FROM "NoteToMentions" WHERE "NoteToMentions"."noteId" = ${Notes.id} AND "NoteToMentions"."userId" = ${otherUser.id})`,
+                    and(
+                        sql`EXISTS (SELECT 1 FROM "Relationships" WHERE "Relationships"."subjectId" = ${Notes.authorId} AND "Relationships"."ownerId" = ${otherUser.id} AND "Relationships"."following" = true)`,
+                        inArray(Notes.visibility, ["public", "private"]),
+                    ),
+                    inArray(Notes.visibility, ["public", "unlisted"]),
+                ),
                exclude_reblogs ? isNull(Notes.reblogId) : undefined,
                exclude_replies ? isNull(Notes.replyId) : undefined,
            ),
--- a/api/api/v1/timelines/home.ts
+++ b/api/api/v1/timelines/home.ts
@ -2,7 +2,7 @@ import { apiRoute, applyConfig, auth, idValidator } from "@/api";
 import { createRoute } from "@hono/zod-openapi";
 import { Note, Timeline } from "@versia/kit/db";
 import { Notes, RolePermissions } from "@versia/kit/tables";
-import { and, eq, gt, gte, lt, or, sql } from "drizzle-orm";
+import { and, eq, gt, gte, inArray, lt, or, sql } from "drizzle-orm";
 import { z } from "zod";
 import { ErrorSchema } from "~/types/api";

@ -79,10 +79,15 @@ export default apiRoute((app) =>
                    since_id ? gte(Notes.id, since_id) : undefined,
                    min_id ? gt(Notes.id, min_id) : undefined,
                ),
+                // Visibility check
                or(
                    eq(Notes.authorId, user.id),
                    sql`EXISTS (SELECT 1 FROM "NoteToMentions" WHERE "NoteToMentions"."noteId" = ${Notes.id} AND "NoteToMentions"."userId" = ${user.id})`,
+                    and(
                        sql`EXISTS (SELECT 1 FROM "Relationships" WHERE "Relationships"."subjectId" = ${Notes.authorId} AND "Relationships"."ownerId" = ${user.id} AND "Relationships"."following" = true)`,
+                        inArray(Notes.visibility, ["public", "private"]),
+                    ),
+                    eq(Notes.visibility, "public"),
                ),
                sql`NOT EXISTS (SELECT 1 FROM "Filters" WHERE "Filters"."userId" = ${user.id} AND "Filters"."filter_action" = 'hide' AND EXISTS (SELECT 1 FROM "FilterKeywords" WHERE "FilterKeywords"."filterId" = "Filters"."id" AND "Notes"."content" LIKE '%' || "FilterKeywords"."keyword" || '%') AND "Filters"."context" @> ARRAY['home'])`,
            ),
--- a/api/api/v1/timelines/public.ts
+++ b/api/api/v1/timelines/public.ts
@ -2,7 +2,7 @@ import { apiRoute, applyConfig, auth, idValidator } from "@/api";
 import { createRoute } from "@hono/zod-openapi";
 import { Note, Timeline } from "@versia/kit/db";
 import { Notes, RolePermissions } from "@versia/kit/tables";
-import { and, gt, gte, lt, sql } from "drizzle-orm";
+import { and, eq, gt, gte, inArray, lt, or, sql } from "drizzle-orm";
 import { z } from "zod";
 import { ErrorSchema } from "~/types/api";

@ -97,6 +97,18 @@ export default apiRoute((app) =>
                user
                    ? sql`NOT EXISTS (SELECT 1 FROM "Filters" WHERE "Filters"."userId" = ${user.id} AND "Filters"."filter_action" = 'hide' AND EXISTS (SELECT 1 FROM "FilterKeywords" WHERE "FilterKeywords"."filterId" = "Filters"."id" AND "Notes"."content" LIKE '%' || "FilterKeywords"."keyword" || '%') AND "Filters"."context" @> ARRAY['public'])`
                    : undefined,
+                // Visibility check
+                user
+                    ? or(
+                          eq(Notes.authorId, user.id),
+                          sql`EXISTS (SELECT 1 FROM "NoteToMentions" WHERE "NoteToMentions"."noteId" = ${Notes.id} AND "NoteToMentions"."userId" = ${user.id})`,
+                          and(
+                              sql`EXISTS (SELECT 1 FROM "Relationships" WHERE "Relationships"."subjectId" = ${Notes.authorId} AND "Relationships"."ownerId" = ${user.id} AND "Relationships"."following" = true)`,
+                              inArray(Notes.visibility, ["public", "private"]),
+                          ),
+                          eq(Notes.visibility, "public"),
+                      )
+                    : eq(Notes.visibility, "public"),
            ),
            limit,
            context.req.url,