From 408e782507837da4c9b2164266d6f6f3e48d1642 Mon Sep 17 00:00:00 2001
From: Julia Johannesen <julia@insertdomain.name>
Date: Thu, 14 Nov 2024 21:38:17 -0500
Subject: [PATCH] fix: primitive 19 & 20: respect blocks and hide more

Ideally, the user property should also be hidden (as leaving it in leaks
information slightly), but given the schema of the note endpoint, I
don't think that would be possible without introducing some kind of
"ghost" user, who is attributed for posts by users who have you blocked.
---
 .../src/core/entities/NoteEntityService.ts    | 43 ++++++++++++++++++-
 1 file changed, 41 insertions(+), 2 deletions(-)

diff --git a/packages/backend/src/core/entities/NoteEntityService.ts b/packages/backend/src/core/entities/NoteEntityService.ts
index 4dd17c5af3..2855ae78f7 100644
--- a/packages/backend/src/core/entities/NoteEntityService.ts
+++ b/packages/backend/src/core/entities/NoteEntityService.ts
@@ -11,7 +11,7 @@ import type { Packed } from '@/misc/json-schema.js';
 import { awaitAll } from '@/misc/prelude/await-all.js';
 import type { MiUser } from '@/models/User.js';
 import type { MiNote } from '@/models/Note.js';
-import type { UsersRepository, NotesRepository, FollowingsRepository, PollsRepository, PollVotesRepository, NoteReactionsRepository, ChannelsRepository, MiMeta } from '@/models/_.js';
+import type { BlockingsRepository, UsersRepository, NotesRepository, FollowingsRepository, PollsRepository, PollVotesRepository, NoteReactionsRepository, ChannelsRepository, MiMeta } from '@/models/_.js';
 import { bindThis } from '@/decorators.js';
 import { DebounceLoader } from '@/misc/loader.js';
 import { IdService } from '@/core/IdService.js';
@@ -39,6 +39,9 @@ export class NoteEntityService implements OnModuleInit {
 		@Inject(DI.meta)
 		private meta: MiMeta,
 
+		@Inject(DI.blockingsRepository)
+		private blockingsRepository: BlockingsRepository,
+
 		@Inject(DI.usersRepository)
 		private usersRepository: UsersRepository,
 
@@ -142,6 +145,17 @@ export class NoteEntityService implements OnModuleInit {
 			}
 		}
 
+		if (!hide && meId && packedNote.userId !== meId) {
+			const isBlocked = await this.blockingsRepository.exists({
+				where: {
+					blockeeId: meId,
+					blockerId: packedNote.userId,
+				},
+			});
+
+			if (isBlocked) hide = true;
+		}
+
 		if (hide) {
 			packedNote.visibleUserIds = undefined;
 			packedNote.fileIds = [];
@@ -149,6 +163,12 @@ export class NoteEntityService implements OnModuleInit {
 			packedNote.text = null;
 			packedNote.poll = undefined;
 			packedNote.cw = null;
+			packedNote.repliesCount = 0;
+			packedNote.reactionAcceptance = null;
+			packedNote.reactionAndUserPairCache = undefined;
+			packedNote.reactionCount = 0;
+			packedNote.reactionEmojis = undefined;
+			packedNote.reactions = undefined;
 			packedNote.isHidden = true;
 		}
 	}
@@ -262,7 +282,13 @@ export class NoteEntityService implements OnModuleInit {
 				return true;
 			} else {
 				// フォロワーかどうか
-				const [following, user] = await Promise.all([
+				const [blocked, following, user] = await Promise.all([
+					this.blockingsRepository.exists({
+						where: {
+							blockeeId: meId,
+							blockerId: note.userId,
+						},
+					}),
 					this.followingsRepository.count({
 						where: {
 							followeeId: note.userId,
@@ -273,6 +299,8 @@ export class NoteEntityService implements OnModuleInit {
 					this.usersRepository.findOneByOrFail({ id: meId }),
 				]);
 
+				if (blocked) return false;
+
 				/* If we know the following, everyhting is fine.
 
 				But if we do not know the following, it might be that both the
@@ -284,6 +312,17 @@ export class NoteEntityService implements OnModuleInit {
 			}
 		}
 
+		if (meId != null) {
+			const isBlocked = await this.blockingsRepository.exists({
+				where: {
+					blockeeId: meId,
+					blockerId: note.userId,
+				},
+			});
+
+			if (isBlocked) return false;
+		}
+
 		return true;
 	}