Ensure that feeds are appropriately restricted (#10018) (#10019)

* Ensure that feeds are appropriately restricted

* Placate golangci-lint
This commit is contained in:
zeripath 2020-01-28 21:54:09 +00:00 committed by Lauris BH
parent 4b11f967bd
commit 895d92ffe5
4 changed files with 38 additions and 7 deletions

View file

@ -432,6 +432,8 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
} }
cond = cond.And(builder.In("repo_id", repoIDs)) cond = cond.And(builder.In("repo_id", repoIDs))
} else {
cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.RequestingUserID)))
} }
cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID}) cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})

View file

@ -315,6 +315,17 @@ func SearchRepository(opts *SearchRepoOptions) (RepositoryList, int64, error) {
// accessibleRepositoryCondition takes a user a returns a condition for checking if a repository is accessible // accessibleRepositoryCondition takes a user a returns a condition for checking if a repository is accessible
func accessibleRepositoryCondition(userID int64) builder.Cond { func accessibleRepositoryCondition(userID int64) builder.Cond {
if userID <= 0 {
return builder.And(
builder.Eq{"`repository`.is_private": false},
builder.Or(
// A. Aren't in organisations __OR__
builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
// B. Is a public organisation.
builder.In("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"visibility": structs.VisibleTypePublic}))),
)
}
return builder.Or( return builder.Or(
// 1. Be able to see all non-private repositories that either: // 1. Be able to see all non-private repositories that either:
builder.And( builder.And(
@ -349,6 +360,12 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
return SearchRepository(opts) return SearchRepository(opts)
} }
// AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered.
func AccessibleRepoIDsQuery(userID int64) *builder.Builder {
// NB: Please note this code needs to still work if user is nil
return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(userID))
}
// FindUserAccessibleRepoIDs find all accessible repositories' ID by user's id // FindUserAccessibleRepoIDs find all accessible repositories' ID by user's id
func FindUserAccessibleRepoIDs(userID int64) ([]int64, error) { func FindUserAccessibleRepoIDs(userID int64) ([]int64, error) {
var accessCond builder.Cond = builder.Eq{"is_private": false} var accessCond builder.Cond = builder.Eq{"is_private": false}

View file

@ -142,11 +142,17 @@ func Dashboard(ctx *context.Context) {
ctx.Data["MirrorCount"] = len(mirrors) ctx.Data["MirrorCount"] = len(mirrors)
ctx.Data["Mirrors"] = mirrors ctx.Data["Mirrors"] = mirrors
requestingUserID := int64(0)
if ctx.User != nil {
requestingUserID = ctx.User.ID
}
retrieveFeeds(ctx, models.GetFeedsOptions{ retrieveFeeds(ctx, models.GetFeedsOptions{
RequestedUser: ctxUser, RequestedUser: ctxUser,
IncludePrivate: true, RequestingUserID: requestingUserID,
OnlyPerformedBy: false, IncludePrivate: true,
IncludeDeleted: false, OnlyPerformedBy: false,
IncludeDeleted: false,
}) })
if ctx.Written() { if ctx.Written() {

View file

@ -156,14 +156,20 @@ func Profile(ctx *context.Context) {
orderBy = models.SearchOrderByRecentUpdated orderBy = models.SearchOrderByRecentUpdated
} }
requestingUserID := int64(0)
if ctx.User != nil {
requestingUserID = ctx.User.ID
}
keyword := strings.Trim(ctx.Query("q"), " ") keyword := strings.Trim(ctx.Query("q"), " ")
ctx.Data["Keyword"] = keyword ctx.Data["Keyword"] = keyword
switch tab { switch tab {
case "activity": case "activity":
retrieveFeeds(ctx, models.GetFeedsOptions{RequestedUser: ctxUser, retrieveFeeds(ctx, models.GetFeedsOptions{RequestedUser: ctxUser,
IncludePrivate: showPrivate, RequestingUserID: requestingUserID,
OnlyPerformedBy: true, IncludePrivate: showPrivate,
IncludeDeleted: false, OnlyPerformedBy: true,
IncludeDeleted: false,
}) })
if ctx.Written() { if ctx.Written() {
return return