* Ensure that feeds are appropriately restricted * Placate golangci-lint
This commit is contained in:
parent
4b11f967bd
commit
895d92ffe5
4 changed files with 38 additions and 7 deletions
|
@ -432,6 +432,8 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
|
|||
}
|
||||
|
||||
cond = cond.And(builder.In("repo_id", repoIDs))
|
||||
} else {
|
||||
cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.RequestingUserID)))
|
||||
}
|
||||
|
||||
cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})
|
||||
|
|
|
@ -315,6 +315,17 @@ func SearchRepository(opts *SearchRepoOptions) (RepositoryList, int64, error) {
|
|||
|
||||
// accessibleRepositoryCondition takes a user a returns a condition for checking if a repository is accessible
|
||||
func accessibleRepositoryCondition(userID int64) builder.Cond {
|
||||
if userID <= 0 {
|
||||
return builder.And(
|
||||
builder.Eq{"`repository`.is_private": false},
|
||||
builder.Or(
|
||||
// A. Aren't in organisations __OR__
|
||||
builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
|
||||
// B. Is a public organisation.
|
||||
builder.In("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"visibility": structs.VisibleTypePublic}))),
|
||||
)
|
||||
}
|
||||
|
||||
return builder.Or(
|
||||
// 1. Be able to see all non-private repositories that either:
|
||||
builder.And(
|
||||
|
@ -349,6 +360,12 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
|
|||
return SearchRepository(opts)
|
||||
}
|
||||
|
||||
// AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered.
|
||||
func AccessibleRepoIDsQuery(userID int64) *builder.Builder {
|
||||
// NB: Please note this code needs to still work if user is nil
|
||||
return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(userID))
|
||||
}
|
||||
|
||||
// FindUserAccessibleRepoIDs find all accessible repositories' ID by user's id
|
||||
func FindUserAccessibleRepoIDs(userID int64) ([]int64, error) {
|
||||
var accessCond builder.Cond = builder.Eq{"is_private": false}
|
||||
|
|
|
@ -142,8 +142,14 @@ func Dashboard(ctx *context.Context) {
|
|||
ctx.Data["MirrorCount"] = len(mirrors)
|
||||
ctx.Data["Mirrors"] = mirrors
|
||||
|
||||
requestingUserID := int64(0)
|
||||
if ctx.User != nil {
|
||||
requestingUserID = ctx.User.ID
|
||||
}
|
||||
|
||||
retrieveFeeds(ctx, models.GetFeedsOptions{
|
||||
RequestedUser: ctxUser,
|
||||
RequestingUserID: requestingUserID,
|
||||
IncludePrivate: true,
|
||||
OnlyPerformedBy: false,
|
||||
IncludeDeleted: false,
|
||||
|
|
|
@ -156,11 +156,17 @@ func Profile(ctx *context.Context) {
|
|||
orderBy = models.SearchOrderByRecentUpdated
|
||||
}
|
||||
|
||||
requestingUserID := int64(0)
|
||||
if ctx.User != nil {
|
||||
requestingUserID = ctx.User.ID
|
||||
}
|
||||
|
||||
keyword := strings.Trim(ctx.Query("q"), " ")
|
||||
ctx.Data["Keyword"] = keyword
|
||||
switch tab {
|
||||
case "activity":
|
||||
retrieveFeeds(ctx, models.GetFeedsOptions{RequestedUser: ctxUser,
|
||||
RequestingUserID: requestingUserID,
|
||||
IncludePrivate: showPrivate,
|
||||
OnlyPerformedBy: true,
|
||||
IncludeDeleted: false,
|
||||
|
|
Reference in a new issue