From 7f57747b85d362faf6b93535a97ba8152d0becd0 Mon Sep 17 00:00:00 2001
From: Denis Bykhov <bykhov.denis@gmail.com>
Date: Fri, 3 Oct 2025 22:52:39 +0500
Subject: [PATCH 1/2] Fix guest search security

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
---
 server/middleware/src/spaceSecurity.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/server/middleware/src/spaceSecurity.ts b/server/middleware/src/spaceSecurity.ts
index caa6e26e997..aeaeb30cdb7 100644
--- a/server/middleware/src/spaceSecurity.ts
+++ b/server/middleware/src/spaceSecurity.ts
@@ -509,14 +509,16 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
     await this.next?.handleBroadcast(ctx)
   }
 
-  private getAllAllowedSpaces (account: Account, isData: boolean, showArchived: boolean): Ref<Space>[] {
+  private getAllAllowedSpaces (account: Account, isData: boolean, showArchived: boolean, forSearch: boolean = false): Ref<Space>[] {
     const userSpaces = this.allowedSpaces[account.uuid] ?? []
-    const res = [
+    let res = [
       ...Array.from(userSpaces),
       account.uuid as unknown as Ref<Space>,
-      ...this.systemSpaces,
       ...this.mainSpaces
     ]
+    if (!forSearch || ![AccountRole.Guest, AccountRole.ReadOnlyGuest].includes(account.role)) {
+      res = [...res, ...this.systemSpaces]
+    }
     const ignorePublicSpaces = isData || account.role === AccountRole.ReadOnlyGuest
     const unfilteredRes = ignorePublicSpaces ? res : [...res, ...this.publicSpaces]
     if (showArchived) {
@@ -690,7 +692,7 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
     const newQuery = { ...query }
     const account = ctx.contextData.account
     if (!isSystem(account, ctx)) {
-      const allSpaces = this.getAllAllowedSpaces(account, true, false)
+      const allSpaces = this.getAllAllowedSpaces(account, true, false, true)
       if (query.classes !== undefined) {
         const res = new Set<Ref<Space>>()
         const passedDomains = new Set<string>()

From ecb99ef4bead3a863cb4069f1eac199d841fec02 Mon Sep 17 00:00:00 2001
From: Denis Bykhov <bykhov.denis@gmail.com>
Date: Sat, 4 Oct 2025 01:39:22 +0500
Subject: [PATCH 2/2] Fix formatting

Signed-off-by: Denis Bykhov <bykhov.denis@gmail.com>
---
 server/middleware/src/spaceSecurity.ts | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/server/middleware/src/spaceSecurity.ts b/server/middleware/src/spaceSecurity.ts
index aeaeb30cdb7..d0022d43aa1 100644
--- a/server/middleware/src/spaceSecurity.ts
+++ b/server/middleware/src/spaceSecurity.ts
@@ -509,13 +509,14 @@ export class SpaceSecurityMiddleware extends BaseMiddleware implements Middlewar
     await this.next?.handleBroadcast(ctx)
   }
 
-  private getAllAllowedSpaces (account: Account, isData: boolean, showArchived: boolean, forSearch: boolean = false): Ref<Space>[] {
+  private getAllAllowedSpaces (
+    account: Account,
+    isData: boolean,
+    showArchived: boolean,
+    forSearch: boolean = false
+  ): Ref<Space>[] {
     const userSpaces = this.allowedSpaces[account.uuid] ?? []
-    let res = [
-      ...Array.from(userSpaces),
-      account.uuid as unknown as Ref<Space>,
-      ...this.mainSpaces
-    ]
+    let res = [...Array.from(userSpaces), account.uuid as unknown as Ref<Space>, ...this.mainSpaces]
     if (!forSearch || ![AccountRole.Guest, AccountRole.ReadOnlyGuest].includes(account.role)) {
       res = [...res, ...this.systemSpaces]
     }