From 5cc137a0caccfa05f80ce5f0bfb1cd53bd49f108 Mon Sep 17 00:00:00 2001 From: trisua Date: Fri, 15 Aug 2025 19:36:50 -0400 Subject: [PATCH] fix: don't allow private profiles to be exposed via mentions --- crates/core/src/database/messages.rs | 11 +++++++++++ crates/core/src/database/posts.rs | 11 +++++++++++ crates/core/src/model/auth.rs | 5 +++++ 3 files changed, 27 insertions(+) diff --git a/crates/core/src/database/messages.rs b/crates/core/src/database/messages.rs index 3acb2ee..6b7c037 100644 --- a/crates/core/src/database/messages.rs +++ b/crates/core/src/database/messages.rs @@ -148,6 +148,17 @@ impl DataManager { return Err(Error::NotAllowed); } + // check private status + if user.settings.private_profile { + if self + .get_userfollow_by_initiator_receiver(user.id, data.owner) + .await + .is_err() + { + return Err(Error::NotAllowed); + } + } + // check if the user can read the channel let membership = self .get_membership_by_owner_community(user.id, channel.community) diff --git a/crates/core/src/database/posts.rs b/crates/core/src/database/posts.rs index 35448de..00256a4 100644 --- a/crates/core/src/database/posts.rs +++ b/crates/core/src/database/posts.rs @@ -2067,6 +2067,17 @@ impl DataManager { return Err(Error::NotAllowed); } + // check private status + if user.settings.private_profile { + if self + .get_userfollow_by_initiator_receiver(user.id, data.owner) + .await + .is_err() + { + return Err(Error::NotAllowed); + } + } + // send notif self.create_notification(Notification::new( "You've been mentioned in a post!".to_string(), diff --git a/crates/core/src/model/auth.rs b/crates/core/src/model/auth.rs index 3da4db8..0f4799f 100644 --- a/crates/core/src/model/auth.rs +++ b/crates/core/src/model/auth.rs @@ -525,6 +525,11 @@ impl User { out.push(buffer); } + if out.len() > 5 { + // if we're trying to mention more than 5 people, mention nobody (we're a spammer) + return Vec::new(); + } + // return out }