Skip to content

Commit 895d92f

Browse files
zeripathlafriks
authored andcommitted
Ensure that feeds are appropriately restricted (#10018) (#10019)
* Ensure that feeds are appropriately restricted * Placate golangci-lint
1 parent 4b11f96 commit 895d92f

File tree

4 files changed

+38
-7
lines changed

4 files changed

+38
-7
lines changed

models/action.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -432,6 +432,8 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
432432
}
433433

434434
cond = cond.And(builder.In("repo_id", repoIDs))
435+
} else {
436+
cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.RequestingUserID)))
435437
}
436438

437439
cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})

models/repo_list.go

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -315,6 +315,17 @@ func SearchRepository(opts *SearchRepoOptions) (RepositoryList, int64, error) {
315315

316316
// accessibleRepositoryCondition takes a user a returns a condition for checking if a repository is accessible
317317
func accessibleRepositoryCondition(userID int64) builder.Cond {
318+
if userID <= 0 {
319+
return builder.And(
320+
builder.Eq{"`repository`.is_private": false},
321+
builder.Or(
322+
// A. Aren't in organisations __OR__
323+
builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
324+
// B. Is a public organisation.
325+
builder.In("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"visibility": structs.VisibleTypePublic}))),
326+
)
327+
}
328+
318329
return builder.Or(
319330
// 1. Be able to see all non-private repositories that either:
320331
builder.And(
@@ -349,6 +360,12 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
349360
return SearchRepository(opts)
350361
}
351362

363+
// AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered.
364+
func AccessibleRepoIDsQuery(userID int64) *builder.Builder {
365+
// NB: Please note this code needs to still work if user is nil
366+
return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(userID))
367+
}
368+
352369
// FindUserAccessibleRepoIDs find all accessible repositories' ID by user's id
353370
func FindUserAccessibleRepoIDs(userID int64) ([]int64, error) {
354371
var accessCond builder.Cond = builder.Eq{"is_private": false}

routers/user/home.go

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -142,11 +142,17 @@ func Dashboard(ctx *context.Context) {
142142
ctx.Data["MirrorCount"] = len(mirrors)
143143
ctx.Data["Mirrors"] = mirrors
144144

145+
requestingUserID := int64(0)
146+
if ctx.User != nil {
147+
requestingUserID = ctx.User.ID
148+
}
149+
145150
retrieveFeeds(ctx, models.GetFeedsOptions{
146-
RequestedUser: ctxUser,
147-
IncludePrivate: true,
148-
OnlyPerformedBy: false,
149-
IncludeDeleted: false,
151+
RequestedUser: ctxUser,
152+
RequestingUserID: requestingUserID,
153+
IncludePrivate: true,
154+
OnlyPerformedBy: false,
155+
IncludeDeleted: false,
150156
})
151157

152158
if ctx.Written() {

routers/user/profile.go

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -156,14 +156,20 @@ func Profile(ctx *context.Context) {
156156
orderBy = models.SearchOrderByRecentUpdated
157157
}
158158

159+
requestingUserID := int64(0)
160+
if ctx.User != nil {
161+
requestingUserID = ctx.User.ID
162+
}
163+
159164
keyword := strings.Trim(ctx.Query("q"), " ")
160165
ctx.Data["Keyword"] = keyword
161166
switch tab {
162167
case "activity":
163168
retrieveFeeds(ctx, models.GetFeedsOptions{RequestedUser: ctxUser,
164-
IncludePrivate: showPrivate,
165-
OnlyPerformedBy: true,
166-
IncludeDeleted: false,
169+
RequestingUserID: requestingUserID,
170+
IncludePrivate: showPrivate,
171+
OnlyPerformedBy: true,
172+
IncludeDeleted: false,
167173
})
168174
if ctx.Written() {
169175
return

0 commit comments

Comments
 (0)