diff --git a/integrations/org_test.go b/integrations/org_test.go index 17b8958480..d86c82989d 100644 --- a/integrations/org_test.go +++ b/integrations/org_test.go @@ -92,6 +92,15 @@ func TestPrivateOrg(t *testing.T) { req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org") session.MakeRequest(t, req, http.StatusNotFound) + // non-org member who is collaborator on repo in private org + session = loginUser(t, "user4") + req = NewRequest(t, "GET", "/privated_org") + session.MakeRequest(t, req, http.StatusNotFound) + req = NewRequest(t, "GET", "/privated_org/public_repo_on_private_org") // colab of this repo + session.MakeRequest(t, req, http.StatusOK) + req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org") + session.MakeRequest(t, req, http.StatusNotFound) + // site admin session = loginUser(t, "user1") req = NewRequest(t, "GET", "/privated_org") diff --git a/models/fixtures/collaboration.yml b/models/fixtures/collaboration.yml index 18db9c36c5..4e5508e711 100644 --- a/models/fixtures/collaboration.yml +++ b/models/fixtures/collaboration.yml @@ -9,3 +9,9 @@ repo_id: 4 user_id: 4 mode: 2 # write + +- + id: 3 + repo_id: 38 + user_id: 4 + mode: 2 # write diff --git a/models/repo_permission.go b/models/repo_permission.go index edad25b75a..e66fc3b53b 100644 --- a/models/repo_permission.go +++ b/models/repo_permission.go @@ -107,7 +107,17 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss repo.mustOwner(e) } - if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) { + var isCollaborator bool + if user != nil { + isCollaborator, err = repo.isCollaborator(e, user.ID) + if err != nil { + return perm, err + } + } + + // Prevent strangers from checking out public repo of private orginization + // Allow user if they are collaborator of a repo within a private orginization but not a member of the orginization itself + if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) && !isCollaborator { perm.AccessMode = AccessModeNone return } @@ -146,9 +156,7 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss perm.UnitsMode = make(map[UnitType]AccessMode) // Collaborators on organization - if isCollaborator, err := repo.isCollaborator(e, user.ID); err != nil { - return perm, err - } else if isCollaborator { + if isCollaborator { for _, u := range repo.Units { perm.UnitsMode[u.Type] = perm.AccessMode }