From a39d0c8ab688da55dbe39991523edb5472d156f5 Mon Sep 17 00:00:00 2001
From: spiral <spiral@spiral.sh>
Date: Sun, 12 Feb 2023 04:29:11 +0000
Subject: [PATCH] fix(api): check visibility for group members in groups
 endpoint

---
 PluralKit.API/Controllers/v2/GroupControllerV2.cs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/PluralKit.API/Controllers/v2/GroupControllerV2.cs b/PluralKit.API/Controllers/v2/GroupControllerV2.cs
index 25c88127..39dabd02 100644
--- a/PluralKit.API/Controllers/v2/GroupControllerV2.cs
+++ b/PluralKit.API/Controllers/v2/GroupControllerV2.cs
@@ -39,7 +39,11 @@ public class GroupControllerV2: PKControllerBase
 
         if (with_members && j_groups.Count > 0)
         {
-            var q = await _repo.GetGroupMemberInfo(await groups.Select(x => x.Id).ToListAsync());
+            var q = await _repo.GetGroupMemberInfo(await groups
+                .Where(g => g.Visibility.CanAccess(ctx))
+                .Select(x => x.Id)
+                .ToListAsync());
+
 
             foreach (var row in q)
                 if (row.MemberVisibility.CanAccess(ctx))
@@ -147,4 +151,4 @@ public class GroupControllerV2: PKControllerBase
 
         return NoContent();
     }
-}
\ No newline at end of file
+}