Skip to content

Ensure that feeds are appropriately restricted #10018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jan 28, 2020
Merged

Ensure that feeds are appropriately restricted #10018

merged 7 commits into from
Jan 28, 2020

Conversation

zeripath
Copy link
Contributor

Fix #9981

@zeripath zeripath added this to the 1.12.0 milestone Jan 27, 2020
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Jan 27, 2020
@zeripath zeripath changed the title Always limit results on dashboard by what is accessible to the user Ensure that feeds are appropriately restricted Jan 27, 2020
@zeripath zeripath mentioned this pull request Jan 27, 2020
Merged
@codecov-io
Copy link

codecov-io commented Jan 27, 2020
edited
Loading

Codecov Report

Merging #10018 into master will decrease coverage by <.01%.
The diff coverage is 53.57%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #10018      +/-   ##
==========================================
- Coverage   42.27%   42.26%   -0.01%     
==========================================
  Files         611      611              
  Lines       80389    80405      +16     
==========================================
- Hits        33988    33987       -1     
- Misses      42225    42239      +14     
- Partials     4176     4179       +3
Impacted Files Coverage Δ
services/pull/pull.go 33.93% <53.57%> (-0.14%) ⬇️
modules/queue/workerpool.go 41.2% <0%> (-2.58%) ⬇️
modules/log/file.go 75.52% <0%> (-2.1%) ⬇️
modules/git/repo.go 45.87% <0%> (+1.37%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6a33a74...0c03606. Read the comment docs.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jan 27, 2020
guillep2k
guillep2k reviewed Jan 27, 2020
View reviewed changes
models/repo_list.go
@@ -319,7 +319,7 @@ func SearchRepository(opts *SearchRepoOptions) (RepositoryList, int64, error) {
func accessibleRepositoryCondition(user *User) builder.Cond {
var cond = builder.NewCond()

if user == nil || !user.IsRestricted {
if user == nil || !user.IsRestricted || user.ID <= 0 {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it strange that user ==nil enables VisibleTypeLimited orgs three lines below?

I was under the impression that user == nil (or user.ID <= 0) meant anonymous/unidentified.

Copy link
Contributor Author

@zeripath zeripath Jan 27, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not enabling it - rather restricting them away further. But I should probably add the user ID <= 0 test to that too - DONE

Copy link
Member

@guillep2k guillep2k Jan 27, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not your fault, the code is previous to your PR. I've just noticed it:

cond = cond.Or(builder.And(
			builder.Eq{"`repository`.is_private": false},
			builder.Or(
				//   A. Aren't in organisations  __OR__
				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
				//   B. Isn't a private organisation. Limited is OK as long as we're logged in.
				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.In("visibility", orgVisibilityLimit))))))

If I read this right, it's: user can see it if "repository is not private or (rest of the condition)". A limited org has public repos that anonymous users should not be able to see. This condition will make those repos pass, since they've got is_private == false.

I'm pretty tired, so I might be I'm getting this wrong.

guillep2k
guillep2k suggested changes Jan 27, 2020
View reviewed changes
Copy link
Member

@guillep2k guillep2k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a second look... see my comment about orgs.

zeripath
zeripath commented Jan 27, 2020
View reviewed changes
@guillep2k
Copy link
Member

Please disregards my comments about the permissions. They were just fine. 😔

@zeripath zeripath merged commit 206a031 into go-gitea:master Jan 28, 2020
@zeripath zeripath deleted the fix-9981-limited-hidden-activity branch January 28, 2020 11:39
lafriks pushed a commit that referenced this pull request Jan 28, 2020
@zeripath @lafriks
Ensure that feeds are appropriately restricted (#10018) (#10019)
895d92f 
* Ensure that feeds are appropriately restricted

* Placate golangci-lint
@zeripath zeripath added backport/done All backports for this PR have been created backport/v1.10 labels Jan 28, 2020
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mrsdizzie mrsdizzie mrsdizzie approved these changes

@guillep2k guillep2k guillep2k approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.12.0
Development

Successfully merging this pull request may close these issues.

Private repo under User activities must hidden!!!
5 participants
@zeripath @codecov-io @guillep2k @mrsdizzie @GiteaBot