refactor: sql queries related to privacy-accounting;

chore: regenerated swagger;
feat: utilizing new 410 error when user is banned/unavailable/deleted

sqlc/query.sql

@@ -281,7 +281,6 @@ JOIN users ON users.id = profiles.user_id
 WHERE users.username = $1;
 
 ;-- name: CheckProfileAccess :one
--- XXX: recheck, was tired
 SELECT
   CASE WHEN u.deleted OR NOT u.verified THEN TRUE ELSE FALSE END AS user_unavailable,
   CASE WHEN EXISTS (
@@ -300,7 +299,6 @@ JOIN users u ON p.user_id = u.id
 WHERE p.id = $1;
 
 ;-- name: GetProfileByUsernameWithPrivacy :one
--- FIXME: tweak backend code to handle privacy correctly
 SELECT
   u.username,
   p.name,
@@ -402,7 +400,6 @@ JOIN users u ON u.id = p.user_id
 WHERE u.username = @username::text;
 
 -- name: GetWishlistsByUsernameWithPrivacy :many
--- XXX: Obsolete, create according access check query instead
 SELECT 
   wl.*, 
   CASE 
@@ -496,32 +493,31 @@ FROM updated;
 SELECT * FROM wishes w
 WHERE w.guid = (@guid::text)::uuid;
 
-;-- name: GetWishByGuidWithPrivacy :one
--- XXX: Obsolete, create according access check query instead
-SELECT 
-  w.*,
-  CASE 
-    WHEN 
-      (
-        @requester::text = u.username OR
-        NOT ps.hide_profile_details AND 
-        NOT
-          (
-            ps.hide_for_unauthenticated AND
-            @requester::text = ''
-          ) AND
-        NOT wl.hidden
-      )
-    THEN TRUE 
-    ELSE FALSE
-  END AS access_allowed
-FROM wishes w
-JOIN wish_lists wl ON w.wish_list_id = wl.id
-JOIN profiles p ON wl.profile_id = p.id
-JOIN profile_settings ps ON ps.profile_id = p.id
-JOIN users u ON p.user_id = u.id
-WHERE
-  w.guid = (@guid::text)::uuid AND
-  w.deleted IS FALSE;
+;-- name: CheckWishAccessByGuid :one
+SELECT EXISTS (
+    SELECT 1
+    FROM wishes w
+    JOIN wish_lists wl ON w.wish_list_id = wl.id
+    JOIN profiles p ON wl.profile_id = p.id
+    JOIN profile_settings ps ON ps.profile_id = p.id
+    JOIN users u ON p.user_id = u.id
+    LEFT JOIN banned_users bu ON u.id = bu.user_id 
+        AND bu.pardoned = FALSE 
+        AND (bu.expires_at IS NULL OR bu.expires_at > NOW())
+    WHERE w.guid = (@guid::text)::uuid
+        AND ps.hide_profile_details = FALSE
+        AND (
+          @requester::text != ''
+          OR ps.hide_for_unauthenticated IS FALSE
+        )
+        AND (
+          w.fulfilled = FALSE
+          OR ps.hide_fulfilled IS FALSE
+        )
+        AND w.deleted = FALSE
+        AND wl.deleted = FALSE
+        AND u.deleted = FALSE
+        AND bu.id IS NULL  -- Ensures owner is not banned
+);
 
 --: }}}