rework heatmap permissions (#14080)

* now uses the same permission model as for the activity feed: only include activities in repos, that the doer has access to. this might be somewhat slower. * also improves handling of user.KeepActivityPrivate (still shows the heatmap to self & admins) * extend tests * adjust integration test to new behaviour * add access to actions for admins * extend heatmap unit tests
2025-07-22 18:28:37 +00:00 · 2020-12-22 02:53:37 +00:00
parent 2c9dd71140
commit f6bec85296
8 changed files with 113 additions and 69 deletions
--- a/routers/api/v1/user/user.go
+++ b/routers/api/v1/user/user.go
@@ -166,7 +166,7 @@ func GetUserHeatmapData(ctx *context.APIContext) {
 		return
 	}

-	heatmap, err := models.GetUserHeatmapDataByUser(user)
+	heatmap, err := models.GetUserHeatmapDataByUser(user, ctx.User)
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "GetUserHeatmapDataByUser", err)
 		return
--- a/routers/user/home.go
+++ b/routers/user/home.go
@@ -115,7 +115,7 @@ func Dashboard(ctx *context.Context) {
 	// no heatmap access for admins; GetUserHeatmapDataByUser ignores the calling user
 	// so everyone would get the same empty heatmap
 	if setting.Service.EnableUserHeatmap && !ctxUser.KeepActivityPrivate {
-		data, err := models.GetUserHeatmapDataByUser(ctxUser)
+		data, err := models.GetUserHeatmapDataByUser(ctxUser, ctx.User)
 		if err != nil {
 			ctx.ServerError("GetUserHeatmapDataByUser", err)
 			return
--- a/routers/user/profile.go
+++ b/routers/user/profile.go
@@ -98,7 +98,7 @@ func Profile(ctx *context.Context) {
 	// no heatmap access for admins; GetUserHeatmapDataByUser ignores the calling user
 	// so everyone would get the same empty heatmap
 	if setting.Service.EnableUserHeatmap && !ctxUser.KeepActivityPrivate {
-		data, err := models.GetUserHeatmapDataByUser(ctxUser)
+		data, err := models.GetUserHeatmapDataByUser(ctxUser, ctx.User)
 		if err != nil {
 			ctx.ServerError("GetUserHeatmapDataByUser", err)
 			return