Browse Source

Ensure that feeds are appropriately restricted (#10018) (#10019)

* Ensure that feeds are appropriately restricted

* Placate golangci-lint
tags/v1.11.0
zeripath Lauris BH 3 weeks ago
parent
commit
895d92ffe5
4 changed files with 38 additions and 7 deletions
  1. +2
    -0
      models/action.go
  2. +17
    -0
      models/repo_list.go
  3. +10
    -4
      routers/user/home.go
  4. +9
    -3
      routers/user/profile.go

+ 2
- 0
models/action.go View File

@@ -432,6 +432,8 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
}

cond = cond.And(builder.In("repo_id", repoIDs))
} else {
cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.RequestingUserID)))
}

cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})


+ 17
- 0
models/repo_list.go View File

@@ -315,6 +315,17 @@ func SearchRepository(opts *SearchRepoOptions) (RepositoryList, int64, error) {

// accessibleRepositoryCondition takes a user a returns a condition for checking if a repository is accessible
func accessibleRepositoryCondition(userID int64) builder.Cond {
if userID <= 0 {
return builder.And(
builder.Eq{"`repository`.is_private": false},
builder.Or(
// A. Aren't in organisations __OR__
builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
// B. Is a public organisation.
builder.In("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"visibility": structs.VisibleTypePublic}))),
)
}

return builder.Or(
// 1. Be able to see all non-private repositories that either:
builder.And(
@@ -349,6 +360,12 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
return SearchRepository(opts)
}

// AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered.
func AccessibleRepoIDsQuery(userID int64) *builder.Builder {
// NB: Please note this code needs to still work if user is nil
return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(userID))
}

// FindUserAccessibleRepoIDs find all accessible repositories' ID by user's id
func FindUserAccessibleRepoIDs(userID int64) ([]int64, error) {
var accessCond builder.Cond = builder.Eq{"is_private": false}


+ 10
- 4
routers/user/home.go View File

@@ -142,11 +142,17 @@ func Dashboard(ctx *context.Context) {
ctx.Data["MirrorCount"] = len(mirrors)
ctx.Data["Mirrors"] = mirrors

requestingUserID := int64(0)
if ctx.User != nil {
requestingUserID = ctx.User.ID
}

retrieveFeeds(ctx, models.GetFeedsOptions{
RequestedUser: ctxUser,
IncludePrivate: true,
OnlyPerformedBy: false,
IncludeDeleted: false,
RequestedUser: ctxUser,
RequestingUserID: requestingUserID,
IncludePrivate: true,
OnlyPerformedBy: false,
IncludeDeleted: false,
})

if ctx.Written() {


+ 9
- 3
routers/user/profile.go View File

@@ -156,14 +156,20 @@ func Profile(ctx *context.Context) {
orderBy = models.SearchOrderByRecentUpdated
}

requestingUserID := int64(0)
if ctx.User != nil {
requestingUserID = ctx.User.ID
}

keyword := strings.Trim(ctx.Query("q"), " ")
ctx.Data["Keyword"] = keyword
switch tab {
case "activity":
retrieveFeeds(ctx, models.GetFeedsOptions{RequestedUser: ctxUser,
IncludePrivate: showPrivate,
OnlyPerformedBy: true,
IncludeDeleted: false,
RequestingUserID: requestingUserID,
IncludePrivate: showPrivate,
OnlyPerformedBy: true,
IncludeDeleted: false,
})
if ctx.Written() {
return


Loading…
Cancel
Save