Handle case where an orginization is private but a user who is not a member of the orgninization has been added as a collaborator of a repo within that org Fixes #6962tags/v1.9.0-rc1
@@ -92,6 +92,15 @@ func TestPrivateOrg(t *testing.T) { | |||
req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org") | |||
session.MakeRequest(t, req, http.StatusNotFound) | |||
// non-org member who is collaborator on repo in private org | |||
session = loginUser(t, "user4") | |||
req = NewRequest(t, "GET", "/privated_org") | |||
session.MakeRequest(t, req, http.StatusNotFound) | |||
req = NewRequest(t, "GET", "/privated_org/public_repo_on_private_org") // colab of this repo | |||
session.MakeRequest(t, req, http.StatusOK) | |||
req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org") | |||
session.MakeRequest(t, req, http.StatusNotFound) | |||
// site admin | |||
session = loginUser(t, "user1") | |||
req = NewRequest(t, "GET", "/privated_org") |
@@ -9,3 +9,9 @@ | |||
repo_id: 4 | |||
user_id: 4 | |||
mode: 2 # write | |||
- | |||
id: 3 | |||
repo_id: 40 | |||
user_id: 4 | |||
mode: 2 # write |
@@ -168,7 +168,17 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss | |||
repo.mustOwner(e) | |||
} | |||
if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) { | |||
var isCollaborator bool | |||
if user != nil { | |||
isCollaborator, err = repo.isCollaborator(e, user.ID) | |||
if err != nil { | |||
return perm, err | |||
} | |||
} | |||
// Prevent strangers from checking out public repo of private orginization | |||
// Allow user if they are collaborator of a repo within a private orginization but not a member of the orginization itself | |||
if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) && !isCollaborator { | |||
perm.AccessMode = AccessModeNone | |||
return | |||
} | |||
@@ -207,9 +217,7 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss | |||
perm.UnitsMode = make(map[UnitType]AccessMode) | |||
// Collaborators on organization | |||
if isCollaborator, err := repo.isCollaborator(e, user.ID); err != nil { | |||
return perm, err | |||
} else if isCollaborator { | |||
if isCollaborator { | |||
for _, u := range repo.Units { | |||
perm.UnitsMode[u.Type] = perm.AccessMode | |||
} |