mirror of
				https://github.com/go-gitea/gitea
				synced 2025-10-26 00:48:29 +00:00 
			
		
		
		
	Ensure that feeds are appropriately restricted (#10018)
* Always limit results by what is accessible to the user * Change signature of AccessibleRepoIDsQuery * Ensure that user with ID <= 0 is handled * Update models/repo_list.go
This commit is contained in:
		| @@ -312,8 +312,8 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) { | |||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		cond = cond.And(builder.In("repo_id", repoIDs)) | 		cond = cond.And(builder.In("repo_id", repoIDs)) | ||||||
| 	} else if opts.Actor != nil { | 	} else { | ||||||
| 		cond = cond.And(builder.In("repo_id", opts.Actor.AccessibleRepoIDsQuery())) | 		cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.Actor))) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID}) | 	cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID}) | ||||||
|   | |||||||
| @@ -319,9 +319,9 @@ func SearchRepository(opts *SearchRepoOptions) (RepositoryList, int64, error) { | |||||||
| func accessibleRepositoryCondition(user *User) builder.Cond { | func accessibleRepositoryCondition(user *User) builder.Cond { | ||||||
| 	var cond = builder.NewCond() | 	var cond = builder.NewCond() | ||||||
|  |  | ||||||
| 	if user == nil || !user.IsRestricted { | 	if user == nil || !user.IsRestricted || user.ID <= 0 { | ||||||
| 		orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate} | 		orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate} | ||||||
| 		if user == nil { | 		if user == nil || user.ID <= 0 { | ||||||
| 			orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited) | 			orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited) | ||||||
| 		} | 		} | ||||||
| 		// 1. Be able to see all non-private repositories that either: | 		// 1. Be able to see all non-private repositories that either: | ||||||
| @@ -363,7 +363,8 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err | |||||||
| } | } | ||||||
|  |  | ||||||
| // AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered. | // AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered. | ||||||
| func (user *User) AccessibleRepoIDsQuery() *builder.Builder { | func AccessibleRepoIDsQuery(user *User) *builder.Builder { | ||||||
|  | 	// NB: Please note this code needs to still work if user is nil | ||||||
| 	return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(user)) | 	return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(user)) | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user