From b788ef32ff1bc8c9d7edc367b49c871e6bad938f Mon Sep 17 00:00:00 2001
From: Manush Dodunekov <manush@stendahls.se>
Date: Thu, 9 Jan 2020 08:28:11 +0100
Subject: [PATCH] Don't disclose limited orgs to unauthenticated users

---
 models/repo_list.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/models/repo_list.go b/models/repo_list.go
index a08035ba71..9d0fd6a324 100644
--- a/models/repo_list.go
+++ b/models/repo_list.go
@@ -321,14 +321,18 @@ func accessibleRepositoryCondition(user *User) builder.Cond {
 	var cond = builder.NewCond()
 
 	if user == nil || !user.IsRestricted {
+		var orgVisibilityLimit = structs.VisibleTypePrivate
+		if user == nil {
+			orgVisibilityLimit = structs.VisibleTypeLimited
+		}
 		// 1. Be able to see all non-private repositories that either:
 		cond = cond.Or(builder.And(
 			builder.Eq{"`repository`.is_private": false},
 			builder.Or(
 				//   A. Aren't in organisations  __OR__
 				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
-				//   B. Isn't a private organisation. (Limited is OK because we're logged in)
-				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"visibility": structs.VisibleTypePrivate})))))
+				//   B. Isn't a private organisation. Limited is OK as long as we're logged in.
+				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Gte{"visibility": orgVisibilityLimit})))))
 	}
 
 	if user != nil {