From cc3149c52017634d980d934c14cf50ff9a8552d0 Mon Sep 17 00:00:00 2001 From: martin <74269598+martabal@users.noreply.github.com> Date: Mon, 30 Oct 2023 09:44:05 +0100 Subject: [PATCH] fix(server): do not leak people (#4710) --- .../src/infra/repositories/person.repository.ts | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/server/src/infra/repositories/person.repository.ts b/server/src/infra/repositories/person.repository.ts index 12bd476053..bbe1b538e1 100644 --- a/server/src/infra/repositories/person.repository.ts +++ b/server/src/infra/repositories/person.repository.ts @@ -103,15 +103,18 @@ export class PersonRepository implements IPersonRepository { return this.personRepository.findOne({ where: { id: personId } }); } - getByName(userId: string, personName: string, { withHidden }: PersonNameSearchOptions): Promise { + async getByName( + userId: string, + personName: string, + { withHidden }: PersonNameSearchOptions, + ): Promise { const queryBuilder = this.personRepository .createQueryBuilder('person') .leftJoin('person.faces', 'face') - .where('person.ownerId = :userId', { userId }) - .andWhere('LOWER(person.name) LIKE :nameStart OR LOWER(person.name) LIKE :nameAnywhere', { - nameStart: `${personName.toLowerCase()}%`, - nameAnywhere: `% ${personName.toLowerCase()}%`, - }) + .where( + 'person.ownerId = :userId AND (LOWER(person.name) LIKE :nameStart OR LOWER(person.name) LIKE :nameAnywhere)', + { userId, nameStart: `${personName.toLowerCase()}%`, nameAnywhere: `% ${personName.toLowerCase()}%` }, + ) .groupBy('person.id') .orderBy('COUNT(face.assetId)', 'DESC') .limit(20);