From 94cd4cd6d3ece6cd8673a8d3d8d28e1ff8534f98 Mon Sep 17 00:00:00 2001
From: Sam <sam@sam.wf>
Date: Mon, 17 Apr 2023 16:33:05 +0200
Subject: [PATCH] fix(backend): don't count deleted users + unlisted members in
 meta endpoint

This technically leaked the *existence* of these users and members,
but there's never been any way to enumerate users or unlisted members,
so this is unlikely to have *actually* leaked any information. Still,
for consistency's sake, this commit hides them from the user/member
count.
---
 backend/routes/meta/meta.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/routes/meta/meta.go b/backend/routes/meta/meta.go
index 609d691..40d27da 100644
--- a/backend/routes/meta/meta.go
+++ b/backend/routes/meta/meta.go
@@ -32,12 +32,12 @@ func (s *Server) meta(w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 
 	var numUsers, numMembers int64
-	err := s.DB.QueryRow(ctx, "SELECT COUNT(*) FROM users").Scan(&numUsers)
+	err := s.DB.QueryRow(ctx, "SELECT COUNT(*) FROM users WHERE deleted_at IS NULL").Scan(&numUsers)
 	if err != nil {
 		return errors.Wrap(err, "querying user count")
 	}
 
-	err = s.DB.QueryRow(ctx, "SELECT COUNT(*) FROM members").Scan(&numMembers)
+	err = s.DB.QueryRow(ctx, "SELECT COUNT(*) FROM members WHERE unlisted = false AND user_id = ANY(SELECT id FROM users WHERE deleted_at IS NULL)").Scan(&numMembers)
 	if err != nil {
 		return errors.Wrap(err, "querying user count")
 	}