From 2b46d0c2acec16885b56e7e0105f720ae5fb74de Mon Sep 17 00:00:00 2001
From: alyssa <alyssa@mailc.net>
Date: Tue, 16 Apr 2024 14:59:12 -0400
Subject: [PATCH] fix(api): correctly check privacy settings on group list
 endpoint

---
 PluralKit.API/Controllers/v2/GroupControllerV2.cs | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/PluralKit.API/Controllers/v2/GroupControllerV2.cs b/PluralKit.API/Controllers/v2/GroupControllerV2.cs
index 62db4525..aa932127 100644
--- a/PluralKit.API/Controllers/v2/GroupControllerV2.cs
+++ b/PluralKit.API/Controllers/v2/GroupControllerV2.cs
@@ -21,9 +21,6 @@ public class GroupControllerV2: PKControllerBase
 
         var ctx = ContextFor(system);
 
-        if (with_members && !system.MemberListPrivacy.CanAccess(ctx))
-            throw Errors.UnauthorizedMemberList;
-
         if (!system.GroupListPrivacy.CanAccess(ContextFor(system)))
             throw Errors.UnauthorizedGroupList;
 
@@ -34,17 +31,14 @@ public class GroupControllerV2: PKControllerBase
             .Select(g => g.ToJson(ctx, needsMembersArray: with_members))
             .ToListAsync();
 
-        if (with_members && !system.MemberListPrivacy.CanAccess(ctx))
-            throw Errors.UnauthorizedMemberList;
-
         if (with_members && j_groups.Count > 0)
         {
             var q = await _repo.GetGroupMemberInfo(await groups
                 .Where(g => g.Visibility.CanAccess(ctx))
+                .Where(g => g.ListPrivacy.CanAccess(ctx))
                 .Select(x => x.Id)
                 .ToListAsync());
 
-
             foreach (var row in q)
                 if (row.MemberVisibility.CanAccess(ctx))
                     ((JArray)j_groups.Find(x => x.Value<string>("id") == row.Group)["members"]).Add(row.MemberUuid);
@@ -151,4 +145,4 @@ public class GroupControllerV2: PKControllerBase
 
         return NoContent();
     }
-}
\ No newline at end of file
+}