summaryrefslogtreecommitdiffstats
path: root/models
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2022-07-05 16:47:45 +0100
committerGitHub <noreply@github.com>2022-07-05 16:47:45 +0100
commit45f17528a856718457b79011cfd20c127ee87452 (patch)
tree16c1feca3c428274d74c57ff5aa505d6d874ea74 /models
parented13d7aadf75246a3b9ba68c5cd2def867f89f43 (diff)
downloadgitea-45f17528a856718457b79011cfd20c127ee87452.tar.gz
gitea-45f17528a856718457b79011cfd20c127ee87452.zip
Only show Followers that current user can access (#20220)
Users who are following or being followed by a user should only be displayed if the viewing user can see them. Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'models')
-rw-r--r--models/user/user.go59
1 files changed, 50 insertions, 9 deletions
diff --git a/models/user/user.go b/models/user/user.go
index 000af58513..125c643f3e 100644
--- a/models/user/user.go
+++ b/models/user/user.go
@@ -316,37 +316,45 @@ func (u *User) GenerateEmailActivateCode(email string) string {
}
// GetUserFollowers returns range of user's followers.
-func GetUserFollowers(u *User, listOptions db.ListOptions) ([]*User, error) {
- sess := db.GetEngine(db.DefaultContext).
+func GetUserFollowers(ctx context.Context, u, viewer *User, listOptions db.ListOptions) ([]*User, int64, error) {
+ sess := db.GetEngine(ctx).
+ Select("`user`.*").
+ Join("LEFT", "follow", "`user`.id=follow.user_id").
Where("follow.follow_id=?", u.ID).
- Join("LEFT", "follow", "`user`.id=follow.user_id")
+ And(isUserVisibleToViewerCond(viewer))
if listOptions.Page != 0 {
sess = db.SetSessionPagination(sess, &listOptions)
users := make([]*User, 0, listOptions.PageSize)
- return users, sess.Find(&users)
+ count, err := sess.FindAndCount(&users)
+ return users, count, err
}
users := make([]*User, 0, 8)
- return users, sess.Find(&users)
+ count, err := sess.FindAndCount(&users)
+ return users, count, err
}
// GetUserFollowing returns range of user's following.
-func GetUserFollowing(u *User, listOptions db.ListOptions) ([]*User, error) {
+func GetUserFollowing(ctx context.Context, u, viewer *User, listOptions db.ListOptions) ([]*User, int64, error) {
sess := db.GetEngine(db.DefaultContext).
+ Select("`user`.*").
+ Join("LEFT", "follow", "`user`.id=follow.follow_id").
Where("follow.user_id=?", u.ID).
- Join("LEFT", "follow", "`user`.id=follow.follow_id")
+ And(isUserVisibleToViewerCond(viewer))
if listOptions.Page != 0 {
sess = db.SetSessionPagination(sess, &listOptions)
users := make([]*User, 0, listOptions.PageSize)
- return users, sess.Find(&users)
+ count, err := sess.FindAndCount(&users)
+ return users, count, err
}
users := make([]*User, 0, 8)
- return users, sess.Find(&users)
+ count, err := sess.FindAndCount(&users)
+ return users, count, err
}
// NewGitSig generates and returns the signature of given user.
@@ -1222,6 +1230,39 @@ func GetAdminUser() (*User, error) {
return &admin, nil
}
+func isUserVisibleToViewerCond(viewer *User) builder.Cond {
+ if viewer != nil && viewer.IsAdmin {
+ return builder.NewCond()
+ }
+
+ if viewer == nil || viewer.IsRestricted {
+ return builder.Eq{
+ "`user`.visibility": structs.VisibleTypePublic,
+ }
+ }
+
+ return builder.Neq{
+ "`user`.visibility": structs.VisibleTypePrivate,
+ }.Or(
+ builder.In("`user`.id",
+ builder.
+ Select("`follow`.user_id").
+ From("follow").
+ Where(builder.Eq{"`follow`.follow_id": viewer.ID})),
+ builder.In("`user`.id",
+ builder.
+ Select("`team_user`.uid").
+ From("team_user").
+ Join("INNER", "`team_user` AS t2", "`team_user`.id = `t2`.id").
+ Where(builder.Eq{"`t2`.uid": viewer.ID})),
+ builder.In("`user`.id",
+ builder.
+ Select("`team_user`.uid").
+ From("team_user").
+ Join("INNER", "`team_user` AS t2", "`team_user`.org_id = `t2`.org_id").
+ Where(builder.Eq{"`t2`.uid": viewer.ID})))
+}
+
// IsUserVisibleToViewer check if viewer is able to see user profile
func IsUserVisibleToViewer(ctx context.Context, u, viewer *User) bool {
if viewer != nil && viewer.IsAdmin {