From 206a031b38a766d0ce89ae94a304f7d418ccdafb Mon Sep 17 00:00:00 2001 From: zeripath Date: Tue, 28 Jan 2020 11:39:37 +0000 Subject: Ensure that feeds are appropriately restricted (#10018) * Always limit results by what is accessible to the user * Change signature of AccessibleRepoIDsQuery * Ensure that user with ID <= 0 is handled * Update models/repo_list.go --- models/action.go | 4 ++-- models/repo_list.go | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/models/action.go b/models/action.go index 1a6ff75603..b8694aad73 100644 --- a/models/action.go +++ b/models/action.go @@ -312,8 +312,8 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) { } cond = cond.And(builder.In("repo_id", repoIDs)) - } else if opts.Actor != nil { - cond = cond.And(builder.In("repo_id", opts.Actor.AccessibleRepoIDsQuery())) + } else { + cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.Actor))) } cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID}) diff --git a/models/repo_list.go b/models/repo_list.go index 3644b01d82..d3a113d26c 100644 --- a/models/repo_list.go +++ b/models/repo_list.go @@ -319,9 +319,9 @@ func SearchRepository(opts *SearchRepoOptions) (RepositoryList, int64, error) { func accessibleRepositoryCondition(user *User) builder.Cond { var cond = builder.NewCond() - if user == nil || !user.IsRestricted { + if user == nil || !user.IsRestricted || user.ID <= 0 { orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate} - if user == nil { + if user == nil || user.ID <= 0 { orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited) } // 1. Be able to see all non-private repositories that either: @@ -363,7 +363,8 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err } // AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered. -func (user *User) AccessibleRepoIDsQuery() *builder.Builder { +func AccessibleRepoIDsQuery(user *User) *builder.Builder { + // NB: Please note this code needs to still work if user is nil return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(user)) } -- cgit v1.2.3