Skip to content

Commit

Permalink
Do not allow Ghost access to limited visible user/org (go-gitea#21849)
Browse files Browse the repository at this point in the history
The Ghost user should not be allowed to have access to a limited visible
user/org.

Co-authored-by: Lauris BH <lauris@nix.lv>
  • Loading branch information
KN4CK3R and lafriks committed Nov 20, 2022
1 parent 56716f5 commit a3e5231
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions models/organization/org.go
Original file line number Diff line number Diff line change
Expand Up @@ -448,8 +448,9 @@ func CountOrgs(opts FindOrgOptions) (int64, error) {

// HasOrgOrUserVisible tells if the given user can see the given org or user
func HasOrgOrUserVisible(ctx context.Context, orgOrUser, user *user_model.User) bool {
// Not SignedUser
if user == nil {
// If user is nil, it's an anonymous user/request.
// The Ghost user is handled like an anonymous user.
if user == nil || user.IsGhost() {
return orgOrUser.Visibility == structs.VisibleTypePublic
}

Expand Down

0 comments on commit a3e5231

Please sign in to comment.