fix: don't leak the existence of private info in lists (#412)

2022-01-14 19:44:44 -05:00 · 2022-01-14 19:44:44 -05:00 · f08524ee19
commit f08524ee19
parent 50a24f03a7
2 changed files with 13 additions and 10 deletions
--- a/PluralKit.Bot/Commands/Lists/ContextListExt.cs
+++ b/PluralKit.Bot/Commands/Lists/ContextListExt.cs
@ -132,7 +132,7 @@ public static class ContextListExt
                        }
                    case SortProperty.DisplayName:
                        {
-                            if (m.DisplayName != null)
+                            if (m.DisplayName != null && m.NamePrivacy.CanAccess(lookupCtx))
                                ret += $"({m.DisplayName})";
                            break;
                        }
--- a/PluralKit.Bot/Commands/Lists/MemberListOptions.cs
+++ b/PluralKit.Bot/Commands/Lists/MemberListOptions.cs
@ -89,23 +89,26 @@ public static class MemberListOptionsExt
            // We want nulls last no matter what, even if orders are reversed
            SortProperty.Hid => input.OrderBy(m => m.Hid, ReverseMaybe(culture)),
            SortProperty.Name => input.OrderBy(m => m.NameFor(ctx), ReverseMaybe(culture)),
-            SortProperty.CreationDate => input.OrderBy(m => m.Created, ReverseMaybe(Comparer<Instant>.Default)),
-            SortProperty.MessageCount => input.OrderByDescending(m => m.MessageCount,
-                ReverseMaybe(Comparer<int>.Default)),
+            SortProperty.CreationDate => input
+                .OrderByDescending(m => m.MetadataPrivacy.CanAccess(ctx))
+                .ThenBy(m => m.MetadataPrivacy.Get(ctx, m.Created, default), ReverseMaybe(Comparer<Instant>.Default)),
+            SortProperty.MessageCount => input
+                .OrderByDescending(m => m.MessageCount != 0 && m.MetadataPrivacy.CanAccess(ctx))
+                .ThenByDescending(m => m.MetadataPrivacy.Get(ctx, m.MessageCount, 0), ReverseMaybe(Comparer<int>.Default)),
            SortProperty.DisplayName => input
-                .OrderByDescending(m => m.DisplayName != null)
-                .ThenBy(m => m.DisplayName, ReverseMaybe(culture)),
+                .OrderByDescending(m => m.DisplayName != null && m.NamePrivacy.CanAccess(ctx))
+                .ThenBy(m => m.NamePrivacy.Get(ctx, m.DisplayName), ReverseMaybe(culture)),
            SortProperty.Birthdate => input
-                .OrderByDescending(m => m.AnnualBirthday.HasValue)
-                .ThenBy(m => m.AnnualBirthday, ReverseMaybe(Comparer<AnnualDate?>.Default)),
+                .OrderByDescending(m => m.AnnualBirthday.HasValue && m.BirthdayPrivacy.CanAccess(ctx))
+                .ThenBy(m => m.BirthdayPrivacy.Get(ctx, m.AnnualBirthday), ReverseMaybe(Comparer<AnnualDate?>.Default)),
            SortProperty.LastMessage => throw new PKError(
                "Sorting by last message is temporarily disabled due to database issues, sorry."),
            // SortProperty.LastMessage => input
            //     .OrderByDescending(m => m.LastMessage.HasValue)
            //     .ThenByDescending(m => m.LastMessage, ReverseMaybe(Comparer<ulong?>.Default)),
            SortProperty.LastSwitch => input
-                .OrderByDescending(m => m.LastSwitchTime.HasValue)
-                .ThenByDescending(m => m.LastSwitchTime, ReverseMaybe(Comparer<Instant?>.Default)),
+                .OrderByDescending(m => m.LastSwitchTime.HasValue && m.MetadataPrivacy.CanAccess(ctx))
+                .ThenByDescending(m => m.MetadataPrivacy.Get(ctx, m.LastSwitchTime), ReverseMaybe(Comparer<Instant?>.Default)),
            SortProperty.Random => input
                .OrderBy(m => randGen.Next()),
            _ => throw new ArgumentOutOfRangeException($"Unknown sort property {opts.SortProperty}")