Direct messages are leaked on public post pages #246
Description
On the permalink page for a post, the list of replies is displayed below the main post. This list is supposed to show only public replies. However, it currently displays all replies to the post, including direct messages (DMs) which have direct visibility. This is a significant security vulnerability as it exposes private conversations to the public.
This issue appears to stem from the database query in src/pages/profile/profilePost.tsx. The initial query for the post correctly filters for public or unlisted visibility. However, when fetching the replies relation for that post, there is no additional visibility filter applied. As a result, all replies, regardless of their visibility status, are fetched from the database and rendered on the page.
To fix this, the query for replies should be modified to only include posts with public or unlisted visibility, similar to how the main post is fetched.