diff options
author | KN4CK3R <admin@oldschoolhack.me> | 2022-09-20 09:59:20 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-09-20 15:59:20 +0800 |
commit | 1b630ff7cdbb2ec48b67f8e3295c142f5ad77180 (patch) | |
tree | 94b691df8f8a5ced3b5cba28f975d360cff89b31 /models/user | |
parent | a196302472d559f04ed9a4387156bedf26b7c55d (diff) | |
download | gitea-1b630ff7cdbb2ec48b67f8e3295c142f5ad77180.tar.gz gitea-1b630ff7cdbb2ec48b67f8e3295c142f5ad77180.zip |
Fix user visible check (#21210)
Fixes #21206
If user and viewer are equal the method should return true.
Also the common organization check was wrong as `count` can never be
less then 0.
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'models/user')
-rw-r--r-- | models/user/user.go | 4 | ||||
-rw-r--r-- | models/user/user_test.go | 53 |
2 files changed, 55 insertions, 2 deletions
diff --git a/models/user/user.go b/models/user/user.go index f1df335eb6..32484a487f 100644 --- a/models/user/user.go +++ b/models/user/user.go @@ -1267,7 +1267,7 @@ func isUserVisibleToViewerCond(viewer *User) builder.Cond { // IsUserVisibleToViewer check if viewer is able to see user profile func IsUserVisibleToViewer(ctx context.Context, u, viewer *User) bool { - if viewer != nil && viewer.IsAdmin { + if viewer != nil && (viewer.IsAdmin || viewer.ID == u.ID) { return true } @@ -1306,7 +1306,7 @@ func IsUserVisibleToViewer(ctx context.Context, u, viewer *User) bool { return false } - if count < 0 { + if count == 0 { // No common organization return false } diff --git a/models/user/user_test.go b/models/user/user_test.go index 940382cdaf..848c978a9b 100644 --- a/models/user/user_test.go +++ b/models/user/user_test.go @@ -400,3 +400,56 @@ func TestUnfollowUser(t *testing.T) { unittest.CheckConsistencyFor(t, &user_model.User{}) } + +func TestIsUserVisibleToViewer(t *testing.T) { + assert.NoError(t, unittest.PrepareTestDatabase()) + + user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) // admin, public + user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) // normal, public + user20 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 20}) // public, same team as user31 + user29 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29}) // public, is restricted + user31 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 31}) // private, same team as user20 + user33 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 33}) // limited, follows 31 + + test := func(u, viewer *user_model.User, expected bool) { + name := func(u *user_model.User) string { + if u == nil { + return "<nil>" + } + return u.Name + } + assert.Equal(t, expected, user_model.IsUserVisibleToViewer(db.DefaultContext, u, viewer), "user %v should be visible to viewer %v: %v", name(u), name(viewer), expected) + } + + // admin viewer + test(user1, user1, true) + test(user20, user1, true) + test(user31, user1, true) + test(user33, user1, true) + + // non admin viewer + test(user4, user4, true) + test(user20, user4, true) + test(user31, user4, false) + test(user33, user4, true) + test(user4, nil, true) + + // public user + test(user4, user20, true) + test(user4, user31, true) + test(user4, user33, true) + + // limited user + test(user33, user33, true) + test(user33, user4, true) + test(user33, user29, false) + test(user33, nil, false) + + // private user + test(user31, user31, true) + test(user31, user4, false) + test(user31, user20, true) + test(user31, user29, false) + test(user31, user33, true) + test(user31, nil, false) +} |