Mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Don't disclose limited orgs to unauthenticated users

This commit is contained in:
Manush Dodunekov 2020-01-09 08:28:11 +01:00
parent 3459547fca
commit b788ef32ff
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
models/repo_list.go
View File

@ -321,14 +321,18 @@ func accessibleRepositoryCondition(user *User) builder.Cond {
var cond = builder.NewCond() var cond = builder.NewCond()
if user == nil || !user.IsRestricted { if user == nil || !user.IsRestricted {
var orgVisibilityLimit = structs.VisibleTypePrivate
if user == nil {
orgVisibilityLimit = structs.VisibleTypeLimited
}
// 1. Be able to see all non-private repositories that either: // 1. Be able to see all non-private repositories that either:
cond = cond.Or(builder.And( cond = cond.Or(builder.And(
builder.Eq{"`repository`.is_private": false}, builder.Eq{"`repository`.is_private": false},
builder.Or( builder.Or(
// A. Aren't in organisations __OR__ // A. Aren't in organisations __OR__
builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})), builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
// B. Isn't a private organisation. (Limited is OK because we're logged in) // B. Isn't a private organisation. Limited is OK as long as we're logged in.
builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"visibility": structs.VisibleTypePrivate}))))) builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Gte{"visibility": orgVisibilityLimit})))))
} }
if user != nil { if user != nil {