1
0
Fork 0
forked from alemi/upub

fix: oops didnt actually fix the comparison

This commit is contained in:
əlemi 2024-06-10 04:07:58 +02:00
parent 3781d38f95
commit ec910693d9
Signed by: alemi
GPG key ID: A4895B84D311642C

View file

@ -62,30 +62,28 @@ pub async fn page<const OUTGOING: bool>(
let limit = page.batch.unwrap_or(20).min(50); let limit = page.batch.unwrap_or(20).min(50);
let offset = page.offset.unwrap_or(0); let offset = page.offset.unwrap_or(0);
let mut filter = Condition::all() let (user, config) = model::actor::Entity::find_by_ap_id(&ctx.uid(&id))
.add(if OUTGOING { Follower } else { Following }.eq(ctx.uid(&id)));
let hidden = {
// TODO i could avoid this query if ctx.uid(id) == Identity::Local { id }
match model::actor::Entity::find_by_ap_id(&ctx.uid(&id))
.find_also_related(model::config::Entity) .find_also_related(model::config::Entity)
.one(ctx.db()) .one(ctx.db())
.await? .await?
.ok_or_else(ApiError::not_found)? .ok_or_else(ApiError::not_found)?;
{
let hidden = match config {
// assume all remote users have private followers // assume all remote users have private followers
// this because we get to see some of their "private" followers if they follow local users, // this because we get to see some of their "private" followers if they follow local users,
// and there is no mechanism to broadcast privacy on/off, so we could be leaking followers. to // and there is no mechanism to broadcast privacy on/off, so we could be leaking followers. to
// mitigate this, just assume them all private: local users can only see themselves and remote // mitigate this, just assume them all private: local users can only see themselves and remote
// fetchers can only see relations from their instance (meaning likely zero because we only // fetchers can only see relations from their instance (meaning likely zero because we only
// store relations for which at least one end is on local instance) // store relations for which at least one end is on local instance)
(_, None) => true, None => true,
(_, Some(config)) => { Some(config) => {
if OUTGOING { !config.show_followers } else { !config.show_following } if OUTGOING { !config.show_followers } else { !config.show_following }
},
} }
}; };
let mut filter = Condition::all()
.add(if OUTGOING { Follower } else { Following }.eq(user.internal));
if hidden { if hidden {
match auth { match auth {
Identity::Anonymous => return Err(ApiError::unauthorized()), Identity::Anonymous => return Err(ApiError::unauthorized()),