Skip to content

Ensure that feeds are appropriately restricted#10018

Merged
zeripath merged 7 commits into
go-gitea:masterfrom
zeripath:fix-9981-limited-hidden-activity
Jan 28, 2020
Merged

Ensure that feeds are appropriately restricted#10018
zeripath merged 7 commits into
go-gitea:masterfrom
zeripath:fix-9981-limited-hidden-activity

Conversation

@zeripath
Copy link
Copy Markdown
Contributor

@zeripath zeripath commented Jan 27, 2020

Fix #9981

@zeripath zeripath added this to the 1.12.0 milestone Jan 27, 2020
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Jan 27, 2020
@zeripath zeripath changed the title Always limit results on dashboard by what is accessible to the user Ensure that feeds are appropriately restricted Jan 27, 2020
@zeripath zeripath mentioned this pull request Jan 27, 2020
Merged
@codecov-io
Copy link
Copy Markdown

codecov-io commented Jan 27, 2020
edited
Loading

Codecov Report

Merging #10018 into master will decrease coverage by <.01%.
The diff coverage is 53.57%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #10018      +/-   ##
==========================================
- Coverage   42.27%   42.26%   -0.01%     
==========================================
  Files         611      611              
  Lines       80389    80405      +16     
==========================================
- Hits        33988    33987       -1     
- Misses      42225    42239      +14     
- Partials     4176     4179       +3
Impacted Files Coverage Δ
services/pull/pull.go 33.93% <53.57%> (-0.14%) ⬇️
modules/queue/workerpool.go 41.2% <0%> (-2.58%) ⬇️
modules/log/file.go 75.52% <0%> (-2.1%) ⬇️
modules/git/repo.go 45.87% <0%> (+1.37%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6a33a74...0c03606. Read the comment docs.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jan 27, 2020
guillep2k
guillep2k reviewed Jan 27, 2020
View reviewed changes
Comment thread models/repo_list.go
var cond = builder.NewCond()

if user == nil || !user.IsRestricted {
if user == nil || !user.IsRestricted || user.ID <= 0 {
Copy link
Copy Markdown
Member

@guillep2k guillep2k Jan 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it strange that user ==nil enables VisibleTypeLimited orgs three lines below?

I was under the impression that user == nil (or user.ID <= 0) meant anonymous/unidentified.

Copy link
Copy Markdown
Contributor Author

@zeripath zeripath Jan 27, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not enabling it - rather restricting them away further. But I should probably add the user ID <= 0 test to that too - DONE

Copy link
Copy Markdown
Member

@guillep2k guillep2k Jan 27, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not your fault, the code is previous to your PR. I've just noticed it:

cond = cond.Or(builder.And(
			builder.Eq{"`repository`.is_private": false},
			builder.Or(
				//   A. Aren't in organisations  __OR__
				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
				//   B. Isn't a private organisation. Limited is OK as long as we're logged in.
				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.In("visibility", orgVisibilityLimit))))))

If I read this right, it's: user can see it if "repository is not private or (rest of the condition)". A limited org has public repos that anonymous users should not be able to see. This condition will make those repos pass, since they've got is_private == false.

I'm pretty tired, so I might be I'm getting this wrong.

guillep2k
guillep2k suggested changes Jan 27, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@guillep2k guillep2k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a second look... see my comment about orgs.

zeripath
zeripath commented Jan 27, 2020
View reviewed changes
Comment thread models/repo_list.go Outdated
@guillep2k
Copy link
Copy Markdown
Member

guillep2k commented Jan 27, 2020

Please disregards my comments about the permissions. They were just fine. 😔

@zeripath zeripath merged commit 206a031 into go-gitea:master Jan 28, 2020
@zeripath zeripath deleted the fix-9981-limited-hidden-activity branch January 28, 2020 11:39
lafriks pushed a commit that referenced this pull request Jan 28, 2020
@zeripath @lafriks
Ensure that feeds are appropriately restricted (#10018) (#10019)
895d92f 
* Ensure that feeds are appropriately restricted

* Placate golangci-lint
@zeripath zeripath added backport/done All backports for this PR have been created backport/v1.10 labels Jan 28, 2020
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@mrsdizzie mrsdizzie mrsdizzie approved these changes

@guillep2k guillep2k guillep2k approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug

Projects

None yet

Milestone

1.12.0

Development

Successfully merging this pull request may close these issues.

Private repo under User activities must hidden!!!

5 participants

@zeripath @codecov-io @guillep2k @mrsdizzie @GiteaBot