summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2020-01-28 11:39:37 +0000
committerGitHub <noreply@github.com>2020-01-28 11:39:37 +0000
commit206a031b38a766d0ce89ae94a304f7d418ccdafb (patch)
tree4defd0fc5d07792b0d624400d196af670eb2446c
parent797e6f8f4ccc93e25bddb969a5e1358ed52c5f0a (diff)
downloadgitea-206a031b38a766d0ce89ae94a304f7d418ccdafb.tar.gz
gitea-206a031b38a766d0ce89ae94a304f7d418ccdafb.zip
Ensure that feeds are appropriately restricted (#10018)
* Always limit results by what is accessible to the user * Change signature of AccessibleRepoIDsQuery * Ensure that user with ID <= 0 is handled * Update models/repo_list.go
-rw-r--r--models/action.go4
-rw-r--r--models/repo_list.go7
2 files changed, 6 insertions, 5 deletions
diff --git a/models/action.go b/models/action.go
index 1a6ff75603..b8694aad73 100644
--- a/models/action.go
+++ b/models/action.go
@@ -312,8 +312,8 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
}
cond = cond.And(builder.In("repo_id", repoIDs))
- } else if opts.Actor != nil {
- cond = cond.And(builder.In("repo_id", opts.Actor.AccessibleRepoIDsQuery()))
+ } else {
+ cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.Actor)))
}
cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})
diff --git a/models/repo_list.go b/models/repo_list.go
index 3644b01d82..d3a113d26c 100644
--- a/models/repo_list.go
+++ b/models/repo_list.go
@@ -319,9 +319,9 @@ func SearchRepository(opts *SearchRepoOptions) (RepositoryList, int64, error) {
func accessibleRepositoryCondition(user *User) builder.Cond {
var cond = builder.NewCond()
- if user == nil || !user.IsRestricted {
+ if user == nil || !user.IsRestricted || user.ID <= 0 {
orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate}
- if user == nil {
+ if user == nil || user.ID <= 0 {
orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited)
}
// 1. Be able to see all non-private repositories that either:
@@ -363,7 +363,8 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
}
// AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered.
-func (user *User) AccessibleRepoIDsQuery() *builder.Builder {
+func AccessibleRepoIDsQuery(user *User) *builder.Builder {
+ // NB: Please note this code needs to still work if user is nil
return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(user))
}