From 8d67ae5f2463baf7299f033a9748ea84678b5563 Mon Sep 17 00:00:00 2001
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Sat, 18 Nov 2023 05:59:36 +0530
Subject: [PATCH] Content server: Fix newly added books on homepage not
 restricted to the books the logged in user is allowed to access

---
 src/calibre/db/cache.py    | 4 ++--
 src/calibre/srv/code.py    | 4 ++--
 src/calibre/srv/handler.py | 7 +++++++
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/calibre/db/cache.py b/src/calibre/db/cache.py
index b6e592e84c..fcb6ec52ab 100644
--- a/src/calibre/db/cache.py
+++ b/src/calibre/db/cache.py
@@ -1405,8 +1405,8 @@ class Cache:
         return ret
 
     @read_api
-    def newly_added_book_ids(self, count=5) -> list[int]:
-        ids_to_sort = self._all_book_ids(list)
+    def newly_added_book_ids(self, count=5, book_ids=None) -> list[int]:
+        ids_to_sort = self._all_book_ids(list) if book_ids is None else list(book_ids)
         ids_to_sort.sort(reverse=True)
         return ids_to_sort[:count]
 
diff --git a/src/calibre/srv/code.py b/src/calibre/srv/code.py
index d581771040..70435e64db 100644
--- a/src/calibre/srv/code.py
+++ b/src/calibre/srv/code.py
@@ -309,11 +309,11 @@ def newly_added(ctx, rd):
     '''
     db, library_id = get_library_data(ctx, rd)[:2]
     count = int(rd.query.get('num', 3))
+    nbids = ctx.newest_book_ids(rd, db, count=count)
     with db.safe_read_lock:
-        nbids = db._newly_added_book_ids(count)
         titles = db._all_field_for('title', nbids)
         authors = db._all_field_for('authors', nbids)
-        return {'library_id': library_id, 'books': nbids, 'titles': titles, 'authors': authors}
+    return {'library_id': library_id, 'books': nbids, 'titles': titles, 'authors': authors}
 
 
 @endpoint('/interface-data/more-books', postprocess=json, methods=POSTABLE)
diff --git a/src/calibre/srv/handler.py b/src/calibre/srv/handler.py
index b651863dd7..8389ecb119 100644
--- a/src/calibre/srv/handler.py
+++ b/src/calibre/srv/handler.py
@@ -92,6 +92,13 @@ class Context:
                 return False
         return db.has_id(book_id)
 
+    def newest_book_ids(self, request_data, db, count=5):
+        restriction = self.restriction_for(request_data, db)
+        allowed_book_ids = None
+        if restriction:
+            allowed_book_ids = db.search('', restriction=restriction)
+        return db.newly_added_book_ids(count=count, book_ids=allowed_book_ids)
+
     def get_allowed_book_ids_from_restriction(self, request_data, db):
         restriction = self.restriction_for(request_data, db)
         return frozenset(db.search('', restriction=restriction)) if restriction else None