mirror of
https://github.com/go-gitea/gitea.git
synced 2024-12-04 14:46:57 -05:00
Don't disclose limited orgs to unauthenticated users
This commit is contained in:
parent
3459547fca
commit
b788ef32ff
@ -321,14 +321,18 @@ func accessibleRepositoryCondition(user *User) builder.Cond {
|
||||
var cond = builder.NewCond()
|
||||
|
||||
if user == nil || !user.IsRestricted {
|
||||
var orgVisibilityLimit = structs.VisibleTypePrivate
|
||||
if user == nil {
|
||||
orgVisibilityLimit = structs.VisibleTypeLimited
|
||||
}
|
||||
// 1. Be able to see all non-private repositories that either:
|
||||
cond = cond.Or(builder.And(
|
||||
builder.Eq{"`repository`.is_private": false},
|
||||
builder.Or(
|
||||
// A. Aren't in organisations __OR__
|
||||
builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
|
||||
// B. Isn't a private organisation. (Limited is OK because we're logged in)
|
||||
builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"visibility": structs.VisibleTypePrivate})))))
|
||||
// B. Isn't a private organisation. Limited is OK as long as we're logged in.
|
||||
builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Gte{"visibility": orgVisibilityLimit})))))
|
||||
}
|
||||
|
||||
if user != nil {
|
||||
|
Loading…
Reference in New Issue
Block a user