Ensure that feeds are appropriately restricted (go-gitea#10018)

* Always limit results by what is accessible to the user * Change signature of AccessibleRepoIDsQuery * Ensure that user with ID <= 0 is handled * Update models/repo_list.go
NiTRoeSE · Jan 28, 2020 · 206a031 · 206a031
1 parent 797e6f8
commit 206a031
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/models/action.go b/models/action.go
@@ -312,8 +312,8 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
 		}
 
 		cond = cond.And(builder.In("repo_id", repoIDs))
-	} else if opts.Actor != nil {
-		cond = cond.And(builder.In("repo_id", opts.Actor.AccessibleRepoIDsQuery()))
+	} else {
+		cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.Actor)))
 	}
 
 	cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})

diff --git a/models/repo_list.go b/models/repo_list.go
@@ -319,9 +319,9 @@ func SearchRepository(opts *SearchRepoOptions) (RepositoryList, int64, error) {
 func accessibleRepositoryCondition(user *User) builder.Cond {
 	var cond = builder.NewCond()
 
-	if user == nil || !user.IsRestricted {
+	if user == nil || !user.IsRestricted || user.ID <= 0 {
 		orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate}
-		if user == nil {
+		if user == nil || user.ID <= 0 {
 			orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited)
 		}
 		// 1. Be able to see all non-private repositories that either:
@@ -363,7 +363,8 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
 }
 
 // AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered.
-func (user *User) AccessibleRepoIDsQuery() *builder.Builder {
+func AccessibleRepoIDsQuery(user *User) *builder.Builder {
+	// NB: Please note this code needs to still work if user is nil
 	return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(user))
 }