fix(server): do not leak people (#4710)

server/src/infra/repositories/person.repository.ts

@@ -103,15 +103,18 @@ export class PersonRepository implements IPersonRepository {
     return this.personRepository.findOne({ where: { id: personId } });
   }
 
-  getByName(userId: string, personName: string, { withHidden }: PersonNameSearchOptions): Promise<PersonEntity[]> {
+  async getByName(
+    userId: string,
+    personName: string,
+    { withHidden }: PersonNameSearchOptions,
+  ): Promise<PersonEntity[]> {
     const queryBuilder = this.personRepository
       .createQueryBuilder('person')
       .leftJoin('person.faces', 'face')
-      .where('person.ownerId = :userId', { userId })
+      .where(
-      .andWhere('LOWER(person.name) LIKE :nameStart OR LOWER(person.name) LIKE :nameAnywhere', {
+        'person.ownerId = :userId AND (LOWER(person.name) LIKE :nameStart OR LOWER(person.name) LIKE :nameAnywhere)',
-        nameStart: `${personName.toLowerCase()}%`,
+        { userId, nameStart: `${personName.toLowerCase()}%`, nameAnywhere: `% ${personName.toLowerCase()}%` },
-        nameAnywhere: `% ${personName.toLowerCase()}%`,
+      )
-      })
       .groupBy('person.id')
       .orderBy('COUNT(face.assetId)', 'DESC')
       .limit(20);