From 981ca741d936eab3672284c709ce21c321290e29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20Gonz=C3=A1lez?= Date: Tue, 30 Sep 2025 13:15:49 +0200 Subject: [PATCH] fix(labrinth): hide hidden orgs from user profiles This is a follow-up to PR #4426. I initially didn't consider the organizations an user belongs to as worth hiding, but given that user profiles can be public, I suppose there technically is a way to exploit them for SEO abuse. Overall, it also seems more consistent to hide them here too. --- apps/labrinth/src/routes/v3/users.rs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/apps/labrinth/src/routes/v3/users.rs b/apps/labrinth/src/routes/v3/users.rs index f0e1a07085..67ffd81128 100644 --- a/apps/labrinth/src/routes/v3/users.rs +++ b/apps/labrinth/src/routes/v3/users.rs @@ -3,8 +3,8 @@ use std::{collections::HashMap, sync::Arc}; use super::{ApiError, oauth_clients::get_user_clients}; use crate::{ auth::{ - filter_visible_collections, filter_visible_projects, - get_user_from_headers, + checks::is_visible_organization, filter_visible_collections, + filter_visible_projects, get_user_from_headers, }, database::{models::DBUser, redis::RedisPool}, file_hosting::{FileHost, FileHostPublicity}, @@ -315,6 +315,10 @@ pub async fn orgs_list( } for data in organizations_data { + if !is_visible_organization(&data, &user, &pool, &redis).await? { + continue; + } + let members_data = team_groups.remove(&data.team_id).unwrap_or(vec![]); let logged_in = user