From 137803738457b4303117c56a4da887fee809688a Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Sun, 4 Feb 2024 20:23:42 +0100
Subject: [PATCH] [backend] Only allow author to see hidden posts

---
 .../src/server/api/common/generate-visibility-query.ts      | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/packages/backend/src/server/api/common/generate-visibility-query.ts b/packages/backend/src/server/api/common/generate-visibility-query.ts
index f23874519..6f2bb35fd 100644
--- a/packages/backend/src/server/api/common/generate-visibility-query.ts
+++ b/packages/backend/src/server/api/common/generate-visibility-query.ts
@@ -57,6 +57,12 @@ export function generateVisibilityQuery(
 			}),
 		);
 
+		q.andWhere(new Brackets((qb) => {
+			qb.where(`note.visibility != 'hidden'`).orWhere(
+				`note.userId = :meId`,
+			);
+		}));
+
 		q.setParameters({ meId: me.id });
 	}
 }