fix: consider issues in repository accessible via access table (#7270)

- Consider the following scenario: a private repository in an organization with a team that has no specific access to that repository. Members of that team are still able to visit the repository because of entries in the `access` table. - Consider this specific scenario for the gathering of issues for project tables. - Unit test added - Resolves forgejo/forgejo#7217 - Ref: forgejo/forgejo#6843 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7270 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-06-17 11:59:30 +00:00 · 2025-03-19 16:45:42 +00:00 · 2025-03-19 16:45:42 +00:00 · 72ee7f3b00
commit 72ee7f3b00
parent 2cd9872b10
6 changed files with 92 additions and 0 deletions
--- a/models/issues/issue_search.go
+++ b/models/issues/issue_search.go
@ -341,6 +341,9 @@ func issuePullAccessibleRepoCond(repoIDstr string, userID int64, org *organizati
 				builder.Or(
 					repo_model.UserOrgUnitRepoCond(repoIDstr, userID, org.ID, unitType), // team member repos
 					repo_model.UserOrgPublicUnitRepoCond(userID, org.ID),                // user org public non-member repos, TODO: check repo has issues
+					builder.And(
+						builder.In("issue.repo_id", builder.Select("id").From("repository").Where(builder.Eq{"owner_id": org.ID})),
+						repo_model.UserAccessRepoCond(repoIDstr, userID)), // user can access org repo in a unit independent way
 				),
 			)
 		}