From 3a72bf453a6e37a9bbf96892d126c261cb4475dd Mon Sep 17 00:00:00 2001
From: Hazel K <acomputerdog@gmail.com>
Date: Fri, 4 Oct 2024 22:07:30 -0400
Subject: [PATCH] respect following privacy settings

---
 .../api/endpoints/federation/followers.ts       | 17 +++++++++++++++--
 .../api/endpoints/federation/following.ts       | 17 +++++++++++++++--
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/packages/backend/src/server/api/endpoints/federation/followers.ts b/packages/backend/src/server/api/endpoints/federation/followers.ts
index 42c0c29fa6..7a1056f772 100644
--- a/packages/backend/src/server/api/endpoints/federation/followers.ts
+++ b/packages/backend/src/server/api/endpoints/federation/followers.ts
@@ -5,7 +5,7 @@
 
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
-import { MiBlocking, type FollowingsRepository } from '@/models/_.js';
+import { MiBlocking, MiUserProfile, MiFollowing, type FollowingsRepository } from '@/models/_.js';
 import { QueryService } from '@/core/QueryService.js';
 import { FollowingEntityService } from '@/core/entities/FollowingEntityService.js';
 import { DI } from '@/di-symbols.js';
@@ -56,8 +56,21 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				.andWhere('following.followeeHost = :host', { host: ps.host });
 
 			if (!await this.roleService.isModerator(me)) {
-				query.leftJoin(MiBlocking, 'blocking', 'blocking."blockerId" = following."followeeId" AND blocking."blockeeId" = :me', { me: me.id });
+				query.setParameter('me', me.id);
+
+				// Make sure that the followee doesn't block us, as their profile is included in the response.
+				query.leftJoin(MiBlocking, 'blocking', 'blocking."blockerId" = following."followeeId" AND blocking."blockeeId" = :me');
 				query.andWhere('blocking.id IS NULL');
+
+				// Make sure that the followee hasn't hidden this connection.
+				query.leftJoin(MiUserProfile, 'followee', 'followee."userId" = following."followeeId"');
+				query.leftJoin(MiFollowing, 'me_following_followee', 'me_following_followee."followerId" = :me AND me_following_followee."followeeId" = following."followerId"');
+				query.andWhere('(followee."userId" = :me OR followee."followersVisibility" = \'public\' OR (followee."followersVisibility" = \'followers\' AND me_following_followee.id IS NOT NULL))');
+
+				// Make sure that the follower hasn't hidden this connection.
+				query.leftJoin(MiUserProfile, 'follower', 'follower."userId" = following."followerId"');
+				query.leftJoin(MiFollowing, 'me_following_follower', 'me_following_follower."followerId" = :me AND me_following_follower."followeeId" = following."followerId"');
+				query.andWhere('(follower."userId" = :me OR follower."followingVisibility" = \'public\' OR (follower."followingVisibility" = \'followers\' AND me_following_follower.id IS NOT NULL))');
 			}
 
 			const followings = await query
diff --git a/packages/backend/src/server/api/endpoints/federation/following.ts b/packages/backend/src/server/api/endpoints/federation/following.ts
index 0b36ffa4e1..bc60ffcb69 100644
--- a/packages/backend/src/server/api/endpoints/federation/following.ts
+++ b/packages/backend/src/server/api/endpoints/federation/following.ts
@@ -5,7 +5,7 @@
 
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
-import { MiBlocking, type FollowingsRepository } from '@/models/_.js';
+import { MiBlocking, MiUserProfile, MiFollowing, type FollowingsRepository } from '@/models/_.js';
 import { QueryService } from '@/core/QueryService.js';
 import { FollowingEntityService } from '@/core/entities/FollowingEntityService.js';
 import { DI } from '@/di-symbols.js';
@@ -56,8 +56,21 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				.andWhere('following.followerHost = :host', { host: ps.host });
 
 			if (!await this.roleService.isModerator(me)) {
-				query.leftJoin(MiBlocking, 'blocking', 'blocking."blockerId" = following."followeeId" AND blocking."blockeeId" = :me', { me: me.id });
+				query.setParameter('me', me.id);
+
+				// Make sure that the followee doesn't block us, as their profile is included in the response.
+				query.leftJoin(MiBlocking, 'blocking', 'blocking."blockerId" = following."followeeId" AND blocking."blockeeId" = :me');
 				query.andWhere('blocking.id IS NULL');
+
+				// Make sure that the followee hasn't hidden this connection.
+				query.leftJoin(MiUserProfile, 'followee', 'followee."userId" = following."followeeId"');
+				query.leftJoin(MiFollowing, 'me_following_followee', 'me_following_followee."followerId" = :me AND me_following_followee."followeeId" = following."followerId"');
+				query.andWhere('(followee."userId" = :me OR followee."followersVisibility" = \'public\' OR (followee."followersVisibility" = \'followers\' AND me_following_followee.id IS NOT NULL))');
+
+				// Make sure that the follower hasn't hidden this connection.
+				query.leftJoin(MiUserProfile, 'follower', 'follower."userId" = following."followerId"');
+				query.leftJoin(MiFollowing, 'me_following_follower', 'me_following_follower."followerId" = :me AND me_following_follower."followeeId" = following."followerId"');
+				query.andWhere('(follower."userId" = :me OR follower."followingVisibility" = \'public\' OR (follower."followingVisibility" = \'followers\' AND me_following_follower.id IS NOT NULL))');
 			}
 
 			const followings = await query