forked from gitea/gitea
1
0
Fork 0

Simplify visibility checks (#20406)

Was looking into the visibility checks because I need them for something different and noticed the checks are more complicated than they have to be.

The rule is just: user/org is visible if
- The doer is a member of the org, regardless of the org visibility
- The doer is not restricted and the user/org is public or limited
This commit is contained in:
KN4CK3R 2022-07-21 12:41:50 +02:00 committed by GitHub
parent e5ef7c2a91
commit 7690de56f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 11 deletions

View File

@ -59,25 +59,18 @@ func (opts *SearchUserOptions) toSearchQueryBase() *xorm.Session {
} }
if opts.Actor != nil { if opts.Actor != nil {
exprCond := builder.Expr("org_user.org_id = `user`.id")
// If Admin - they see all users! // If Admin - they see all users!
if !opts.Actor.IsAdmin { if !opts.Actor.IsAdmin {
// Force visibility for privacy // Users can see an organization they are a member of
var accessCond builder.Cond accessCond := builder.In("id", builder.Select("org_id").From("org_user").Where(builder.Eq{"uid": opts.Actor.ID}))
if !opts.Actor.IsRestricted { if !opts.Actor.IsRestricted {
accessCond = builder.Or( // Not-Restricted users can see public and limited users/organizations
builder.In("id", builder.Select("org_id").From("org_user").LeftJoin("`user`", exprCond).Where(builder.And(builder.Eq{"uid": opts.Actor.ID}, builder.Eq{"visibility": structs.VisibleTypePrivate}))), accessCond = accessCond.Or(builder.In("visibility", structs.VisibleTypePublic, structs.VisibleTypeLimited))
builder.In("visibility", structs.VisibleTypePublic, structs.VisibleTypeLimited))
} else {
// restricted users only see orgs they are a member of
accessCond = builder.In("id", builder.Select("org_id").From("org_user").LeftJoin("`user`", exprCond).Where(builder.And(builder.Eq{"uid": opts.Actor.ID})))
} }
// Don't forget about self // Don't forget about self
accessCond = accessCond.Or(builder.Eq{"id": opts.Actor.ID}) accessCond = accessCond.Or(builder.Eq{"id": opts.Actor.ID})
cond = cond.And(accessCond) cond = cond.And(accessCond)
} }
} else { } else {
// Force visibility for privacy // Force visibility for privacy
// Not logged in - only public users // Not logged in - only public users