fix: don't allow private profiles to be exposed via mentions

crates/core/src/database/messages.rs

@@ -148,6 +148,17 @@ impl DataManager {
                         return Err(Error::NotAllowed);
                     }
 
+                    // check private status
+                    if user.settings.private_profile {
+                        if self
+                            .get_userfollow_by_initiator_receiver(user.id, data.owner)
+                            .await
+                            .is_err()
+                        {
+                            return Err(Error::NotAllowed);
+                        }
+                    }
+
                     // check if the user can read the channel
                     let membership = self
                         .get_membership_by_owner_community(user.id, channel.community)

crates/core/src/database/posts.rs

@@ -2067,6 +2067,17 @@ impl DataManager {
                         return Err(Error::NotAllowed);
                     }
 
+                    // check private status
+                    if user.settings.private_profile {
+                        if self
+                            .get_userfollow_by_initiator_receiver(user.id, data.owner)
+                            .await
+                            .is_err()
+                        {
+                            return Err(Error::NotAllowed);
+                        }
+                    }
+
                     // send notif
                     self.create_notification(Notification::new(
                         "You've been mentioned in a post!".to_string(),

crates/core/src/model/auth.rs

@@ -525,6 +525,11 @@ impl User {
             out.push(buffer);
         }
 
+        if out.len() > 5 {
+            // if we're trying to mention more than 5 people, mention nobody (we're a spammer)
+            return Vec::new();
+        }
+
         // return
         out
     }