fix(server): do not leak people (#4710)

2023-10-30 09:44:05 +01:00 · 2023-10-30 09:44:05 +01:00 · cc3149c520
commit cc3149c520
parent 512f672e9e
1 changed files with 9 additions and 6 deletions
--- a/server/src/infra/repositories/person.repository.ts
+++ b/server/src/infra/repositories/person.repository.ts
@ -103,15 +103,18 @@ export class PersonRepository implements IPersonRepository {
    return this.personRepository.findOne({ where: { id: personId } });
  }

-  getByName(userId: string, personName: string, { withHidden }: PersonNameSearchOptions): Promise<PersonEntity[]> {
+  async getByName(
+    userId: string,
+    personName: string,
+    { withHidden }: PersonNameSearchOptions,
+  ): Promise<PersonEntity[]> {
    const queryBuilder = this.personRepository
      .createQueryBuilder('person')
      .leftJoin('person.faces', 'face')
-      .where('person.ownerId = :userId', { userId })
-      .andWhere('LOWER(person.name) LIKE :nameStart OR LOWER(person.name) LIKE :nameAnywhere', {
-        nameStart: `${personName.toLowerCase()}%`,
-        nameAnywhere: `% ${personName.toLowerCase()}%`,
-      })
+      .where(
+        'person.ownerId = :userId AND (LOWER(person.name) LIKE :nameStart OR LOWER(person.name) LIKE :nameAnywhere)',
+        { userId, nameStart: `${personName.toLowerCase()}%`, nameAnywhere: `% ${personName.toLowerCase()}%` },
+      )
      .groupBy('person.id')
      .orderBy('COUNT(face.assetId)', 'DESC')
      .limit(20);