From 2984abbe2be942b1b13d40d43576013fc7a4bb5f Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Tue, 6 Feb 2024 02:12:09 +0100
Subject: [PATCH] [backend/api] Only expose public notes on
 /api/iceshrimp/v1/user/{id}/notes

---
 Iceshrimp.Backend/Controllers/UserController.cs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Iceshrimp.Backend/Controllers/UserController.cs b/Iceshrimp.Backend/Controllers/UserController.cs
index 838f733d..5b866949 100644
--- a/Iceshrimp.Backend/Controllers/UserController.cs
+++ b/Iceshrimp.Backend/Controllers/UserController.cs
@@ -1,6 +1,8 @@
 using Iceshrimp.Backend.Controllers.Renderers;
 using Iceshrimp.Backend.Controllers.Schemas;
 using Iceshrimp.Backend.Core.Database;
+using Iceshrimp.Backend.Core.Database.Tables;
+using Iceshrimp.Backend.Core.Extensions;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.EntityFrameworkCore;
@@ -33,6 +35,7 @@ public class UserController(DatabaseContext db) : Controller {
 		var notes = db.Notes
 		              .Include(p => p.User)
 		              .Where(p => p.UserId == id)
+		              .HasVisibility(Note.NoteVisibility.Public)
 		              .OrderByDescending(p => p.Id)
 		              .Take(limit)
 		              .ToList();