From f6bec8529697bdb89ebcd0901ba093f06aa9ac46 Mon Sep 17 00:00:00 2001
From: Norwin <noerw@users.noreply.github.com>
Date: Tue, 22 Dec 2020 02:53:37 +0000
Subject: rework heatmap permissions (#14080)

* now uses the same permission model as for the activity feed:
  only include activities in repos, that the doer has access to.
  this might be somewhat slower.

* also improves handling of user.KeepActivityPrivate (still shows
  the heatmap to self & admins)

* extend tests

* adjust integration test to new behaviour

* add access to actions for admins

* extend heatmap unit tests
---
 routers/api/v1/user/user.go | 2 +-
 routers/user/home.go        | 2 +-
 routers/user/profile.go     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'routers')

diff --git a/routers/api/v1/user/user.go b/routers/api/v1/user/user.go
index b552c1353a..07d5e9112b 100644
--- a/routers/api/v1/user/user.go
+++ b/routers/api/v1/user/user.go
@@ -166,7 +166,7 @@ func GetUserHeatmapData(ctx *context.APIContext) {
 		return
 	}
 
-	heatmap, err := models.GetUserHeatmapDataByUser(user)
+	heatmap, err := models.GetUserHeatmapDataByUser(user, ctx.User)
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "GetUserHeatmapDataByUser", err)
 		return
diff --git a/routers/user/home.go b/routers/user/home.go
index 46532f82b9..92a9138475 100644
--- a/routers/user/home.go
+++ b/routers/user/home.go
@@ -115,7 +115,7 @@ func Dashboard(ctx *context.Context) {
 	// no heatmap access for admins; GetUserHeatmapDataByUser ignores the calling user
 	// so everyone would get the same empty heatmap
 	if setting.Service.EnableUserHeatmap && !ctxUser.KeepActivityPrivate {
-		data, err := models.GetUserHeatmapDataByUser(ctxUser)
+		data, err := models.GetUserHeatmapDataByUser(ctxUser, ctx.User)
 		if err != nil {
 			ctx.ServerError("GetUserHeatmapDataByUser", err)
 			return
diff --git a/routers/user/profile.go b/routers/user/profile.go
index 36f3d0735d..bd5b359272 100644
--- a/routers/user/profile.go
+++ b/routers/user/profile.go
@@ -98,7 +98,7 @@ func Profile(ctx *context.Context) {
 	// no heatmap access for admins; GetUserHeatmapDataByUser ignores the calling user
 	// so everyone would get the same empty heatmap
 	if setting.Service.EnableUserHeatmap && !ctxUser.KeepActivityPrivate {
-		data, err := models.GetUserHeatmapDataByUser(ctxUser)
+		data, err := models.GetUserHeatmapDataByUser(ctxUser, ctx.User)
 		if err != nil {
 			ctx.ServerError("GetUserHeatmapDataByUser", err)
 			return
-- 
cgit v1.2.3