Ensure that feeds are appropriately restricted (#10018) (#10019)

* Ensure that feeds are appropriately restricted * Placate golangci-lint
6 years ago · 895d92ffe5
4 changed files with 38 additions and 7 deletions
--- a/models/action.go
+++ b/models/action.go
@ -432,6 +432,8 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
 		}
 		cond = cond.And(builder.In("repo_id", repoIDs))
 	} else {
 		cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.RequestingUserID)))
 	}
 	cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})
--- a/models/repo_list.go
+++ b/models/repo_list.go
@ -315,6 +315,17 @@ func SearchRepository(opts *SearchRepoOptions) (RepositoryList, int64, error) {
 // accessibleRepositoryCondition takes a user a returns a condition for checking if a repository is accessible
 func accessibleRepositoryCondition(userID int64) builder.Cond {
 	if userID <= 0 {
 		return builder.And(
 			builder.Eq{"`repository`.is_private": false},
 			builder.Or(
 				//   A. Aren't in organisations  __OR__
 				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
 				//   B. Is a public organisation.
 				builder.In("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"visibility": structs.VisibleTypePublic}))),
 		)
 	}
 	return builder.Or(
 		// 1. Be able to see all non-private repositories that either:
 		builder.And(
@ -349,6 +360,12 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
 	return SearchRepository(opts)
 }
 // AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered.
 func AccessibleRepoIDsQuery(userID int64) *builder.Builder {
 	// NB: Please note this code needs to still work if user is nil
 	return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(userID))
 }
 // FindUserAccessibleRepoIDs find all accessible repositories' ID by user's id
 func FindUserAccessibleRepoIDs(userID int64) ([]int64, error) {
 	var accessCond builder.Cond = builder.Eq{"is_private": false}
--- a/routers/user/home.go
+++ b/routers/user/home.go
@ -142,11 +142,17 @@ func Dashboard(ctx *context.Context) {
 	ctx.Data["MirrorCount"] = len(mirrors)
 	ctx.Data["Mirrors"] = mirrors
 	requestingUserID := int64(0)
 	if ctx.User != nil {
 		requestingUserID = ctx.User.ID
 	}
 	retrieveFeeds(ctx, models.GetFeedsOptions{
-		RequestedUser:   ctxUser,
+		RequestedUser:    ctxUser,
-		IncludePrivate:  true,
+		RequestingUserID: requestingUserID,
-		OnlyPerformedBy: false,
+		IncludePrivate:   true,
-		IncludeDeleted:  false,
+		OnlyPerformedBy:  false,
 		IncludeDeleted:   false,
 	})
 	if ctx.Written() {
--- a/routers/user/profile.go
+++ b/routers/user/profile.go
@ -156,14 +156,20 @@ func Profile(ctx *context.Context) {
 		orderBy = models.SearchOrderByRecentUpdated
 	}
 	requestingUserID := int64(0)
 	if ctx.User != nil {
 		requestingUserID = ctx.User.ID
 	}
 	keyword := strings.Trim(ctx.Query("q"), " ")
 	ctx.Data["Keyword"] = keyword
 	switch tab {
 	case "activity":
 		retrieveFeeds(ctx, models.GetFeedsOptions{RequestedUser: ctxUser,
-			IncludePrivate:  showPrivate,
+			RequestingUserID: requestingUserID,
-			OnlyPerformedBy: true,
+			IncludePrivate:   showPrivate,
-			IncludeDeleted:  false,
+			OnlyPerformedBy:  true,
 			IncludeDeleted:   false,
 		})
 		if ctx.Written() {
 			return