From c51dd2b4fd69c9bfe8d1c7ddc96d84b31d9ab286 Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Tue, 14 Nov 2023 23:44:46 +0800
Subject: [PATCH] Restricted users only see repos in orgs which their team was
 assigned to (#28025) (#28051)

Backport #28025 by @6543

---
*Sponsored by Kithara Software GmbH*

Co-authored-by: 6543 <m.huber@kithara.com>
(cherry picked from commit 073d8c50dd78264bae824df10210546b3f87c7d5)
---
 models/repo/repo_list.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/models/repo/repo_list.go b/models/repo/repo_list.go
index 6c7c281cce..b1efec47b3 100644
--- a/models/repo/repo_list.go
+++ b/models/repo/repo_list.go
@@ -652,12 +652,12 @@ func AccessibleRepositoryCondition(user *user_model.User, unitType unit.Type) bu
 				userOrgTeamUnitRepoCond("`repository`.id", user.ID, unitType),
 			)
 		}
-		cond = cond.Or(
-			// 4. Repositories that we directly own
-			builder.Eq{"`repository`.owner_id": user.ID},
+		// 4. Repositories that we directly own
+		cond = cond.Or(builder.Eq{"`repository`.owner_id": user.ID})
+		if !user.IsRestricted {
 			// 5. Be able to see all public repos in private organizations that we are an org_user of
-			userOrgPublicRepoCond(user.ID),
-		)
+			cond = cond.Or(userOrgPublicRepoCond(user.ID))
+		}
 	}
 
 	return cond