From 8adba93498ccdde7edcb54e10f6a3d176c3815c4 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Sat, 7 May 2022 18:21:15 +0200
Subject: Hide private repositories in packages (#19584)

---
 modules/convert/package.go              | 22 ++++++++++++++++------
 modules/notification/webhook/webhook.go | 18 ++++++++++--------
 2 files changed, 26 insertions(+), 14 deletions(-)

(limited to 'modules')

diff --git a/modules/convert/package.go b/modules/convert/package.go
index 681219ca1a..a4ea41d522 100644
--- a/modules/convert/package.go
+++ b/modules/convert/package.go
@@ -5,28 +5,38 @@
 package convert
 
 import (
+	"context"
+
+	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/packages"
-	"code.gitea.io/gitea/models/perm"
+	user_model "code.gitea.io/gitea/models/user"
 	api "code.gitea.io/gitea/modules/structs"
 )
 
 // ToPackage convert a packages.PackageDescriptor to api.Package
-func ToPackage(pd *packages.PackageDescriptor) *api.Package {
+func ToPackage(ctx context.Context, pd *packages.PackageDescriptor, doer *user_model.User) (*api.Package, error) {
 	var repo *api.Repository
 	if pd.Repository != nil {
-		repo = ToRepo(pd.Repository, perm.AccessModeNone)
+		permission, err := models.GetUserRepoPermission(ctx, pd.Repository, doer)
+		if err != nil {
+			return nil, err
+		}
+
+		if permission.HasAccess() {
+			repo = ToRepo(pd.Repository, permission.AccessMode)
+		}
 	}
 
 	return &api.Package{
 		ID:         pd.Version.ID,
-		Owner:      ToUser(pd.Owner, nil),
+		Owner:      ToUser(pd.Owner, doer),
 		Repository: repo,
-		Creator:    ToUser(pd.Creator, nil),
+		Creator:    ToUser(pd.Creator, doer),
 		Type:       string(pd.Package.Type),
 		Name:       pd.Package.Name,
 		Version:    pd.Version.Version,
 		CreatedAt:  pd.Version.CreatedUnix.AsTime(),
-	}
+	}, nil
 }
 
 // ToPackageFile converts packages.PackageFileDescriptor to api.PackageFile
diff --git a/modules/notification/webhook/webhook.go b/modules/notification/webhook/webhook.go
index d24440d585..c59e972ed6 100644
--- a/modules/notification/webhook/webhook.go
+++ b/modules/notification/webhook/webhook.go
@@ -872,17 +872,19 @@ func notifyPackage(sender *user_model.User, pd *packages_model.PackageDescriptor
 		return
 	}
 
-	org := pd.Owner
-	if !org.IsOrganization() {
-		org = nil
+	ctx, _, finished := process.GetManager().AddContext(graceful.GetManager().HammerContext(), fmt.Sprintf("webhook.notifyPackage Package: %s[%d]", pd.Package.Name, pd.Package.ID))
+	defer finished()
+
+	apiPackage, err := convert.ToPackage(ctx, pd, sender)
+	if err != nil {
+		log.Error("Error converting package: %v", err)
+		return
 	}
 
 	if err := webhook_services.PrepareWebhooks(pd.Repository, webhook.HookEventPackage, &api.PackagePayload{
-		Action:       action,
-		Repository:   convert.ToRepo(pd.Repository, perm.AccessModeNone),
-		Package:      convert.ToPackage(pd),
-		Organization: convert.ToUser(org, nil),
-		Sender:       convert.ToUser(sender, nil),
+		Action:  action,
+		Package: apiPackage,
+		Sender:  convert.ToUser(sender, nil),
 	}); err != nil {
 		log.Error("PrepareWebhooks: %v", err)
 	}
-- 
cgit v1.2.3