Allow collaborators to view repo owned by private org (#6965) (#6968)

* Allow collaborators to view repo owned private org (#6965) Handle case where an orginization is private but a user who is not a member of the orgninization has been added as a collaborator of a repo within that org Fixes #6962 * Match release/v1.8 fixtures
go-gitea · May 16, 2019 · 2198396 · 2198396
1 parent e069a75
commit 2198396
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 4 deletions.
diff --git a/integrations/org_test.go b/integrations/org_test.go
@@ -92,6 +92,15 @@ func TestPrivateOrg(t *testing.T) {
 	req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org")
 	session.MakeRequest(t, req, http.StatusNotFound)
 
+	// non-org member who is collaborator on repo in private org
+	session = loginUser(t, "user4")
+	req = NewRequest(t, "GET", "/privated_org")
+	session.MakeRequest(t, req, http.StatusNotFound)
+	req = NewRequest(t, "GET", "/privated_org/public_repo_on_private_org") // colab of this repo
+	session.MakeRequest(t, req, http.StatusOK)
+	req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org")
+	session.MakeRequest(t, req, http.StatusNotFound)
+
 	// site admin
 	session = loginUser(t, "user1")
 	req = NewRequest(t, "GET", "/privated_org")

diff --git a/models/fixtures/collaboration.yml b/models/fixtures/collaboration.yml
@@ -9,3 +9,9 @@
   repo_id: 4
   user_id: 4
   mode: 2 # write
+
+-
+  id: 3
+  repo_id: 38
+  user_id: 4
+  mode: 2 # write
diff --git a/models/repo_permission.go b/models/repo_permission.go
@@ -107,7 +107,17 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss
 		repo.mustOwner(e)
 	}
 
-	if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) {
+	var isCollaborator bool
+	if user != nil {
+		isCollaborator, err = repo.isCollaborator(e, user.ID)
+		if err != nil {
+			return perm, err
+		}
+	}
+
+	// Prevent strangers from checking out public repo of private orginization
+	// Allow user if they are collaborator of a repo within a private orginization but not a member of the orginization itself
+	if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) && !isCollaborator {
 		perm.AccessMode = AccessModeNone
 		return
 	}
@@ -146,9 +156,7 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss
 	perm.UnitsMode = make(map[UnitType]AccessMode)
 
 	// Collaborators on organization
-	if isCollaborator, err := repo.isCollaborator(e, user.ID); err != nil {
-		return perm, err
-	} else if isCollaborator {
+	if isCollaborator {
 		for _, u := range repo.Units {
 			perm.UnitsMode[u.Type] = perm.AccessMode
 		}