From 3093f80d68c9f47e2e2a76bc9eafac0de315cae6 Mon Sep 17 00:00:00 2001
From: Athurg Gooth <athurg@gooth.org>
Date: Thu, 13 Jul 2023 15:20:15 +0800
Subject: [PATCH] fix: visibility param override the user auth state (#1942)

fix visibility param override the user auth state
---
 api/v1/memo.go | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/api/v1/memo.go b/api/v1/memo.go
index 25ce4479..a363333f 100644
--- a/api/v1/memo.go
+++ b/api/v1/memo.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/labstack/echo/v4"
@@ -357,16 +356,21 @@ func (s *APIV1Service) registerMemoRoutes(g *echo.Group) {
 
 		currentUserID, ok := c.Get(getUserIDContextKey()).(int)
 		if !ok {
+			// Anonymous use should only fetch PUBLIC memos with specified user
 			if findMemoMessage.CreatorID == nil {
 				return echo.NewHTTPError(http.StatusBadRequest, "Missing user id to find memo")
 			}
 			findMemoMessage.VisibilityList = []store.Visibility{store.Public}
 		} else {
-			if findMemoMessage.CreatorID == nil {
+			// Authorized user can fetch all PUBLIC/PROTECTED memo
+			visibilityList := []store.Visibility{store.Public, store.Protected}
+
+			// If Creator is authorized user (as default), PRIVATE memo is OK
+			if findMemoMessage.CreatorID == nil || *findMemoMessage.CreatorID == currentUserID {
 				findMemoMessage.CreatorID = &currentUserID
-			} else {
-				findMemoMessage.VisibilityList = []store.Visibility{store.Public, store.Protected}
+				visibilityList = append(visibilityList, store.Private)
 			}
+			findMemoMessage.VisibilityList = visibilityList
 		}
 
 		rowStatus := store.RowStatus(c.QueryParam("rowStatus"))
@@ -390,14 +394,6 @@ func (s *APIV1Service) registerMemoRoutes(g *echo.Group) {
 		}
 		findMemoMessage.ContentSearch = contentSearch
 
-		visibilityListStr := c.QueryParam("visibility")
-		if visibilityListStr != "" {
-			visibilityList := []store.Visibility{}
-			for _, visibility := range strings.Split(visibilityListStr, ",") {
-				visibilityList = append(visibilityList, store.Visibility(visibility))
-			}
-			findMemoMessage.VisibilityList = visibilityList
-		}
 		if limit, err := strconv.Atoi(c.QueryParam("limit")); err == nil {
 			findMemoMessage.Limit = &limit
 		}