Ensure that feeds are appropriately restricted (#10018)
* Always limit results by what is accessible to the user * Change signature of AccessibleRepoIDsQuery * Ensure that user with ID <= 0 is handled * Update models/repo_list.go
This commit is contained in:
parent
797e6f8f4c
commit
206a031b38
2 changed files with 6 additions and 5 deletions
|
@ -312,8 +312,8 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
cond = cond.And(builder.In("repo_id", repoIDs))
|
cond = cond.And(builder.In("repo_id", repoIDs))
|
||||||
} else if opts.Actor != nil {
|
} else {
|
||||||
cond = cond.And(builder.In("repo_id", opts.Actor.AccessibleRepoIDsQuery()))
|
cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.Actor)))
|
||||||
}
|
}
|
||||||
|
|
||||||
cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})
|
cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})
|
||||||
|
|
|
@ -319,9 +319,9 @@ func SearchRepository(opts *SearchRepoOptions) (RepositoryList, int64, error) {
|
||||||
func accessibleRepositoryCondition(user *User) builder.Cond {
|
func accessibleRepositoryCondition(user *User) builder.Cond {
|
||||||
var cond = builder.NewCond()
|
var cond = builder.NewCond()
|
||||||
|
|
||||||
if user == nil || !user.IsRestricted {
|
if user == nil || !user.IsRestricted || user.ID <= 0 {
|
||||||
orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate}
|
orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate}
|
||||||
if user == nil {
|
if user == nil || user.ID <= 0 {
|
||||||
orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited)
|
orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited)
|
||||||
}
|
}
|
||||||
// 1. Be able to see all non-private repositories that either:
|
// 1. Be able to see all non-private repositories that either:
|
||||||
|
@ -363,7 +363,8 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered.
|
// AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered.
|
||||||
func (user *User) AccessibleRepoIDsQuery() *builder.Builder {
|
func AccessibleRepoIDsQuery(user *User) *builder.Builder {
|
||||||
|
// NB: Please note this code needs to still work if user is nil
|
||||||
return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(user))
|
return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(user))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Reference in a new issue