luckyimnotanigger/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-05-25 11:22:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

fix: anomynous users code search for private/limited user's repository

Browse source 
- Consider private/limited users in the `AccessibleRepositoryCondition`
query, previously this only considered private/limited organization.
This limits the ability for anomynous users to do code search on
private/limited user's repository
- Unit test added.
This commit is contained in:
Gusted 2024-11-09 23:47:39 +01:00 committed by Earl Warren
parent 9508aa7713
commit b70196653f
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
3 changed files with 77 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

7
models/repo/repo_list.go
View file

@ -641,12 +641,9 @@ func AccessibleRepositoryCondition(user *user_model.User, unitType unit.Type) bu
// 1. Be able to see all non-private repositories that either:
cond = cond.Or(builder.And(
builder.Eq{"`repository`.is_private": false},
// 2. Aren't in an private organisation or limited organisation if we're not logged in
// 2. Aren't in an private organisation/user or limited organisation/user if the doer is not logged in.
builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(
builder.And(
builder.Eq{"type": user_model.UserTypeOrganization},
builder.In("visibility", orgVisibilityLimit)),
))))
builder.In("visibility", orgVisibilityLimit)))))
}
if user != nil {