From fdf2371ea9487c421527756313d4b9e7b9bb88ff Mon Sep 17 00:00:00 2001
From: Grishka <git@grishka.me>
Date: Thu, 19 Oct 2023 07:48:54 +0300
Subject: [PATCH] Add privacy checks to more places

---
 .../controllers/NewsfeedController.java          | 13 +++++++++++++
 .../smithereen/controllers/WallController.java   | 12 +++++++-----
 src/main/java/smithereen/routes/PostRoutes.java  | 16 ++++++++--------
 3 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/src/main/java/smithereen/controllers/NewsfeedController.java b/src/main/java/smithereen/controllers/NewsfeedController.java
index afc4abb9..83d75d12 100644
--- a/src/main/java/smithereen/controllers/NewsfeedController.java
+++ b/src/main/java/smithereen/controllers/NewsfeedController.java
@@ -10,12 +10,17 @@
 import java.time.ZoneId;
 import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 import smithereen.ApplicationContext;
 import smithereen.LruCache;
 import smithereen.model.Account;
 import smithereen.model.PaginatedList;
+import smithereen.model.Post;
 import smithereen.model.User;
 import smithereen.model.feed.GroupedNewsfeedEntry;
 import smithereen.model.feed.NewsfeedEntry;
@@ -71,6 +76,14 @@ public PaginatedList<NewsfeedEntry> getFriendsFeed(Account self, ZoneId timeZone
 				if(newPage.isEmpty()){
 					break;
 				}
+
+				Set<Integer> needPosts=newPage.stream().filter(e->e.type==NewsfeedEntry.Type.POST).map(e->e.objectID).collect(Collectors.toSet());
+				if(!needPosts.isEmpty()){
+					Map<Integer, Post> posts=context.getWallController().getPosts(needPosts);
+					Set<Integer> inaccessiblePosts=posts.values().stream().filter(p->!context.getPrivacyController().checkPostPrivacy(self.user, p)).map(p->p.id).collect(Collectors.toSet());
+					newPage.removeIf(e->e.type==NewsfeedEntry.Type.POST && inaccessiblePosts.contains(e.objectID));
+				}
+
 				int sizeBefore=cache.feed.size();
 				cache.add(newPage);
 				int i=0;
diff --git a/src/main/java/smithereen/controllers/WallController.java b/src/main/java/smithereen/controllers/WallController.java
index 5538fde6..2331df13 100644
--- a/src/main/java/smithereen/controllers/WallController.java
+++ b/src/main/java/smithereen/controllers/WallController.java
@@ -580,12 +580,12 @@ public String getPostSource(Post post){
 		}
 	}
 
-	public PaginatedList<PostViewModel> getReplies(List<Integer> key, int primaryOffset, int primaryCount, int secondaryCount){
+	public PaginatedList<PostViewModel> getReplies(@Nullable User self, List<Integer> key, int primaryOffset, int primaryCount, int secondaryCount){
 		try{
 			PostStorage.ThreadedReplies tr=PostStorage.getRepliesThreaded(key.stream().mapToInt(Integer::intValue).toArray(), primaryOffset, primaryCount, secondaryCount);
 
-			List<PostViewModel> posts=tr.posts().stream().map(PostViewModel::new).toList();
-			List<PostViewModel> replies=tr.replies().stream().map(PostViewModel::new).toList();
+			List<PostViewModel> posts=tr.posts().stream().filter(p->context.getPrivacyController().checkPostPrivacy(self, p)).map(PostViewModel::new).toList();
+			List<PostViewModel> replies=tr.replies().stream().filter(p->context.getPrivacyController().checkPostPrivacy(self, p)).map(PostViewModel::new).toList();
 			Map<Integer, PostViewModel> postMap=Stream.of(posts, replies).flatMap(List::stream).collect(Collectors.toMap(p->p.post.id, Function.identity()));
 
 			for(PostViewModel post:replies){
@@ -603,9 +603,11 @@ public PaginatedList<PostViewModel> getReplies(List<Integer> key, int primaryOff
 		}
 	}
 
-	public PaginatedList<Post> getRepliesExact(List<Integer> key, int maxID, int count){
+	public PaginatedList<Post> getRepliesExact(@Nullable User self, List<Integer> key, int maxID, int count){
 		try{
-			return PostStorage.getRepliesExact(key.stream().mapToInt(Integer::intValue).toArray(), maxID, count);
+			PaginatedList<Post> posts=PostStorage.getRepliesExact(key.stream().mapToInt(Integer::intValue).toArray(), maxID, count);
+			context.getPrivacyController().filterPosts(self, posts.list);
+			return posts;
 		}catch(SQLException x){
 			throw new InternalServerErrorException(x);
 		}
diff --git a/src/main/java/smithereen/routes/PostRoutes.java b/src/main/java/smithereen/routes/PostRoutes.java
index 758918c2..d76559df 100644
--- a/src/main/java/smithereen/routes/PostRoutes.java
+++ b/src/main/java/smithereen/routes/PostRoutes.java
@@ -295,13 +295,7 @@ public static Object standalonePost(Request req, Response resp){
 			owner=ctx.getUsersController().getUserOrThrow(post.post.ownerID);
 
 		User author=ctx.getUsersController().getUserOrThrow(post.post.authorID);
-
-		int offset=offset(req);
-		PaginatedList<PostViewModel> replies=ctx.getWallController().getReplies(replyKey, offset, 100, 50);
 		RenderedTemplateResponse model=new RenderedTemplateResponse("wall_post_standalone", req);
-		model.paginate(replies);
-		model.with("post", post);
-		model.with("isGroup", post.post.ownerID<0);
 		SessionInfo info=Utils.sessionInfo(req);
 		User self=null;
 		if(info!=null && info.account!=null){
@@ -312,6 +306,12 @@ public static Object standalonePost(Request req, Response resp){
 			self=info.account.user;
 		}
 
+		int offset=offset(req);
+		PaginatedList<PostViewModel> replies=ctx.getWallController().getReplies(self, replyKey, offset, 100, 50);
+		model.paginate(replies);
+		model.with("post", post);
+		model.with("isGroup", post.post.ownerID<0);
+
 		boolean canOverridePrivacy=false;
 		if(self!=null && info.permissions.serverAccessLevel.ordinal()>=Account.AccessLevel.MODERATOR.ordinal()){
 			int reportID=safeParseInt(req.queryParams("report"));
@@ -621,7 +621,7 @@ public static Object ajaxCommentPreview(Request req, Response resp){
 		if(maxID==0)
 			throw new BadRequestException();
 
-		PaginatedList<PostViewModel> comments=PostViewModel.wrap(ctx.getWallController().getRepliesExact(List.of(post.id), maxID, 100));
+		PaginatedList<PostViewModel> comments=PostViewModel.wrap(ctx.getWallController().getRepliesExact(self!=null ? self.user : null, List.of(post.id), maxID, 100));
 		RenderedTemplateResponse model=new RenderedTemplateResponse("wall_reply_list", req);
 		model.with("comments", comments.list);
 		preparePostList(ctx, comments.list, model);
@@ -649,7 +649,7 @@ public static Object ajaxCommentBranch(Request req, Response resp){
 
 		Post post=ctx.getWallController().getPostOrThrow(parseIntOrDefault(req.params(":postID"), 0));
 		ctx.getPrivacyController().enforceObjectPrivacy(self!=null ? self.user : null, post);
-		List<PostViewModel> comments=ctx.getWallController().getReplies(post.getReplyKeyForReplies(), offset, 100, 50).list;
+		List<PostViewModel> comments=ctx.getWallController().getReplies(self!=null ? self.user : null, post.getReplyKeyForReplies(), offset, 100, 50).list;
 		RenderedTemplateResponse model=new RenderedTemplateResponse("wall_reply_list", req);
 		model.with("comments", comments);
 		ArrayList<PostViewModel> allReplies=new ArrayList<>();