From dc3c2d1ad4c42f2e511681a70ea15d0659a85b52 Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Tue, 29 Oct 2024 17:36:18 +0100
Subject: [PATCH] [backend] Enforce blocks in NoteRepository.isVisibleForMe

This commit addresses disclosed primitive 20
---
 packages/backend/src/models/repositories/note.ts | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/packages/backend/src/models/repositories/note.ts b/packages/backend/src/models/repositories/note.ts
index 7eda8d858..96e1b348c 100644
--- a/packages/backend/src/models/repositories/note.ts
+++ b/packages/backend/src/models/repositories/note.ts
@@ -10,7 +10,7 @@ import {
 	Followings,
 	Polls,
 	Channels,
-	Notes, UserProfiles,
+	Notes, UserProfiles, Blockings,
 } from "../index.js";
 import type { Packed } from "@/misc/schema.js";
 import { nyaize } from "@/misc/nyaize.js";
@@ -113,6 +113,20 @@ async function populateIsRenoted(
 
 export const NoteRepository = db.getRepository(Note).extend({
 	async isVisibleForMe(note: Note, meId: User["id"] | null): Promise<boolean> {
+		if (meId != null && meId !== note.userId) {
+			const blocked = await Blockings.count({
+				where: {
+					blockeeId: meId,
+					blockerId: note.userId
+				},
+				take: 1
+			});
+
+			if (blocked !== 0) {
+				return false;
+			}
+		}
+
 		// This code must always be synchronized with the checks in generateVisibilityQuery.
 		// visibility が specified かつ自分が指定されていなかったら非表示
 		if (note.visibility === "specified") {