use already existing GetUserRepoPermission

models/activities/action.go

@@ -23,6 +23,7 @@ import (
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"
@@ -468,21 +469,32 @@ func GetFeeds(ctx context.Context, opts GetFeedsOptions) (ActionList, int64, err
 		return nil, 0, fmt.Errorf("LoadAttributes: %w", err)
 	}
 
-	isOrgMemberMap := make(map[int64]bool, 0)
-	isPrivateForActor := true
 	if opts.Actor != nil && opts.RequestedUser != nil {
-		isPrivateForActor = !opts.Actor.IsAdmin && opts.Actor.ID != opts.RequestedUser.ID
-		isOrgMemberMap, err = organization.IsOrganizationsMember(ctx, actions.GetOrgIDs(), opts.Actor.ID)
-		if err != nil {
-			return nil, 0, err
-		}
-	}
-
-	for _, action := range actions {
-		action.IsPrivateView = isPrivateForActor && action.IsPrivate
+		isPrivateForActor := !opts.Actor.IsAdmin && opts.Actor.ID != opts.RequestedUser.ID
+
+		// cache user repo read permissions
+		canReadRepo := make(map[int64]optional.Option[bool], 0)
+
+		for _, action := range actions {
+			action.IsPrivateView = isPrivateForActor && action.IsPrivate
+
+			if action.IsPrivateView && action.Repo.Owner.IsOrganization() {
+				if !canReadRepo[action.Repo.ID].Has() {
+					perm, err := access_model.GetUserRepoPermission(ctx, action.Repo, opts.Actor)
+					if err != nil {
+						return nil, 0, fmt.Errorf("GetUserRepoPermission: %w", err)
+					}
+					canRead := perm.CanRead(unit.TypeCode)
+					action.IsPrivateView = !canRead
+					canReadRepo[action.Repo.ID] = optional.Option[bool]{canRead}
+				}
 
-		if action.IsPrivateView && action.Repo.Owner.IsOrganization() {
-			action.IsPrivateView = !isOrgMemberMap[action.Repo.Owner.ID]
+				action.IsPrivateView = !canReadRepo[action.Repo.ID].Value()
+			}
+		}
+	} else {
+		for _, action := range actions {
+			action.IsPrivateView = action.IsPrivate
 		}
 	}
 
@@ -491,8 +503,13 @@ func GetFeeds(ctx context.Context, opts GetFeedsOptions) (ActionList, int64, err
 
 // ActivityReadable return whether doer can read activities of user
 func ActivityReadable(user, doer *user_model.User) bool {
-	return !user.ActivityVisibility.ShowNone() ||
-		doer != nil && (doer.IsAdmin || user.ID == doer.ID)
+	if doer != nil && (doer.IsAdmin || user.ID == doer.ID) {
+		return true
+	}
+	if user.ActivityVisibility.ShowNone() {
+		return false
+	}
+	return true
 }
 
 func activityQueryCondition(ctx context.Context, opts GetFeedsOptions) (builder.Cond, error) {

models/activities/action_list.go

@@ -53,16 +53,6 @@ func (actions ActionList) getRepoIDs() []int64 {
 	})
 }
 
-func (actions ActionList) GetOrgIDs() []int64 {
-	orgIDs := make(container.Set[int64], len(actions))
-	for _, action := range actions {
-		if action.Repo.Owner.IsOrganization() {
-			orgIDs.Add(action.Repo.Owner.ID)
-		}
-	}
-	return orgIDs.Values()
-}
-
 func (actions ActionList) LoadRepositories(ctx context.Context) error {
 	if len(actions) == 0 {
 		return nil

models/organization/org_user.go

@@ -77,27 +77,6 @@ func IsOrganizationMember(ctx context.Context, orgID, uid int64) (bool, error) {
 		Exist()
 }
 
-// IsOrganizationsMember returns a map with key of orgID and value is true if given user is member of organization.
-func IsOrganizationsMember(ctx context.Context, orgIDs []int64, uid int64) (map[int64]bool, error) {
-	var orgUsers []*OrgUser
-
-	err := db.GetEngine(ctx).
-		Where("uid=?", uid).
-		And(builder.In("org_id", orgIDs)).
-		Table("org_user").
-		Find(&orgUsers)
-	if err != nil {
-		return nil, err
-	}
-
-	memberMap := make(map[int64]bool, len(orgIDs))
-	for _, orgUser := range orgUsers {
-		memberMap[orgUser.OrgID] = true
-	}
-
-	return memberMap, nil
-}
-
 // IsPublicMembership returns true if the given user's membership of given org is public.
 func IsPublicMembership(ctx context.Context, orgID, uid int64) (bool, error) {
 	return db.GetEngine(ctx).