From 1767e674626e9398565e2fe98ceec6da7c6fe9e4 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Mon, 18 Jul 2022 21:03:00 +0100 Subject: [PATCH 1/2] Simplify visibility checks. --- models/user/search.go | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/models/user/search.go b/models/user/search.go index 1b65dcb12d46..52aaf850cadc 100644 --- a/models/user/search.go +++ b/models/user/search.go @@ -59,25 +59,18 @@ func (opts *SearchUserOptions) toSearchQueryBase() *xorm.Session { } if opts.Actor != nil { - exprCond := builder.Expr("org_user.org_id = `user`.id") - // If Admin - they see all users! if !opts.Actor.IsAdmin { - // Force visibility for privacy - var accessCond builder.Cond + // Users can see an organization they are a member of + var accessCond builder.Cond = builder.In("id", builder.Select("org_id").From("org_user").Where(builder.Eq{"uid": opts.Actor.ID})) if !opts.Actor.IsRestricted { - accessCond = builder.Or( - builder.In("id", builder.Select("org_id").From("org_user").LeftJoin("`user`", exprCond).Where(builder.And(builder.Eq{"uid": opts.Actor.ID}, builder.Eq{"visibility": structs.VisibleTypePrivate}))), - builder.In("visibility", structs.VisibleTypePublic, structs.VisibleTypeLimited)) - } else { - // restricted users only see orgs they are a member of - accessCond = builder.In("id", builder.Select("org_id").From("org_user").LeftJoin("`user`", exprCond).Where(builder.And(builder.Eq{"uid": opts.Actor.ID}))) + // Not-Restricted users can see public and limited users/organziations + accessCond = accessCond.Or(builder.In("visibility", structs.VisibleTypePublic, structs.VisibleTypeLimited)) } // Don't forget about self accessCond = accessCond.Or(builder.Eq{"id": opts.Actor.ID}) cond = cond.And(accessCond) } - } else { // Force visibility for privacy // Not logged in - only public users From 733283e603bbfa60595d9bab21242299f311b743 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Tue, 19 Jul 2022 12:54:42 +0000 Subject: [PATCH 2/2] lint --- models/user/search.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/models/user/search.go b/models/user/search.go index 52aaf850cadc..76ff55ea2664 100644 --- a/models/user/search.go +++ b/models/user/search.go @@ -62,9 +62,9 @@ func (opts *SearchUserOptions) toSearchQueryBase() *xorm.Session { // If Admin - they see all users! if !opts.Actor.IsAdmin { // Users can see an organization they are a member of - var accessCond builder.Cond = builder.In("id", builder.Select("org_id").From("org_user").Where(builder.Eq{"uid": opts.Actor.ID})) + accessCond := builder.In("id", builder.Select("org_id").From("org_user").Where(builder.Eq{"uid": opts.Actor.ID})) if !opts.Actor.IsRestricted { - // Not-Restricted users can see public and limited users/organziations + // Not-Restricted users can see public and limited users/organizations accessCond = accessCond.Or(builder.In("visibility", structs.VisibleTypePublic, structs.VisibleTypeLimited)) } // Don't forget about self