From 7db09103e76218f6c867f4a9f1cbc2dd25512e3d Mon Sep 17 00:00:00 2001
From: Johann150 <johann.galle@protonmail.com>
Date: Sat, 11 Jun 2022 09:14:44 +0200
Subject: [PATCH] chore: synchronize visibility checks (#8687)

* reuse single meId parameter

* unify code style

Use template string to avoid having to use escaped quote marks.

* fix: follower only notes are visible to mentioned users

This synchronizes the visibility rules with the Notes.isVisibleForMe
method from packages/backend/src/models/repositories/note.ts

* add comment
---
 packages/backend/src/models/repositories/note.ts   |  1 +
 .../server/api/common/generate-visibility-query.ts | 14 ++++++++------
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/packages/backend/src/models/repositories/note.ts b/packages/backend/src/models/repositories/note.ts
index c0abbb4f9..3fefab031 100644
--- a/packages/backend/src/models/repositories/note.ts
+++ b/packages/backend/src/models/repositories/note.ts
@@ -136,6 +136,7 @@ async function populateMyReaction(note: Note, meId: User['id'], _hint_?: {
 
 export const NoteRepository = db.getRepository(Note).extend({
 	async isVisibleForMe(note: Note, meId: User['id'] | null): Promise<boolean> {
+		// This code must always be synchronized with the checks in generateVisibilityQuery.
 		// visibility が specified かつ自分が指定されていなかったら非表示
 		if (note.visibility === 'specified') {
 			if (meId == null) {
diff --git a/packages/backend/src/server/api/common/generate-visibility-query.ts b/packages/backend/src/server/api/common/generate-visibility-query.ts
index 715982934..b50b6812f 100644
--- a/packages/backend/src/server/api/common/generate-visibility-query.ts
+++ b/packages/backend/src/server/api/common/generate-visibility-query.ts
@@ -3,6 +3,7 @@ import { Followings } from '@/models/index.js';
 import { Brackets, SelectQueryBuilder } from 'typeorm';
 
 export function generateVisibilityQuery(q: SelectQueryBuilder<any>, me?: { id: User['id'] } | null) {
+	// This code must always be synchronized with the checks in Notes.isVisibleForMe.
 	if (me == null) {
 		q.andWhere(new Brackets(qb => { qb
 			.where(`note.visibility = 'public'`)
@@ -11,7 +12,7 @@ export function generateVisibilityQuery(q: SelectQueryBuilder<any>, me?: { id: U
 	} else {
 		const followingQuery = Followings.createQueryBuilder('following')
 			.select('following.followeeId')
-			.where('following.followerId = :followerId', { followerId: me.id });
+			.where('following.followerId = :meId');
 
 		q.andWhere(new Brackets(qb => { qb
 			// 公開投稿である
@@ -20,21 +21,22 @@ export function generateVisibilityQuery(q: SelectQueryBuilder<any>, me?: { id: U
 				.orWhere(`note.visibility = 'home'`);
 			}))
 			// または 自分自身
-			.orWhere('note.userId = :userId1', { userId1: me.id })
+			.orWhere('note.userId = :meId')
 			// または 自分宛て
-			.orWhere(`'{"${me.id}"}' <@ note.visibleUserIds`)
+			.orWhere(':meId = ANY(note.visibleUserIds)')
+			.orWhere(':meId = ANY(note.mentions)')
 			.orWhere(new Brackets(qb => { qb
 				// または フォロワー宛ての投稿であり、
-				.where('note.visibility = \'followers\'')
+				.where(`note.visibility = 'followers'`)
 				.andWhere(new Brackets(qb => { qb
 					// 自分がフォロワーである
 					.where(`note.userId IN (${ followingQuery.getQuery() })`)
 					// または 自分の投稿へのリプライ
-					.orWhere('note.replyUserId = :userId3', { userId3: me.id });
+					.orWhere('note.replyUserId = :meId');
 				}));
 			}));
 		}));
 
-		q.setParameters(followingQuery.getParameters());
+		q.setParameters({ meId: me.id });
 	}
 }