Skip to content

Ensure that feeds are appropriately restricted #10018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zeripath merged 7 commits into from
Jan 28, 2020
Merged

Ensure that feeds are appropriately restricted #10018

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
cfef824
Always limit results by what is accessible to the user
zeripath Jan 27, 2020
d6548c2
Change signature of AccessibleRepoIDsQuery
zeripath Jan 27, 2020
45a89f4
Ensure that user with ID <= 0 is handled
zeripath Jan 27, 2020
3923185
Update models/repo_list.go
zeripath Jan 27, 2020
c68997a
Merge branch 'master' into fix-9981-limited-hidden-activity
zeripath Jan 27, 2020
6a33a74
Merge branch 'master' into fix-9981-limited-hidden-activity
zeripath Jan 28, 2020
0c03606
Merge branch 'master' into fix-9981-limited-hidden-activity
zeripath Jan 28, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions models/action.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -312,8 +312,8 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
}

cond = cond.And(builder.In("repo_id", repoIDs))
} else if opts.Actor != nil {
cond = cond.And(builder.In("repo_id", opts.Actor.AccessibleRepoIDsQuery()))
} else {
cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.Actor)))
}

cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})
Expand Down
7 changes: 4 additions & 3 deletions models/repo_list.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -319,9 +319,9 @@ func SearchRepository(opts *SearchRepoOptions) (RepositoryList, int64, error) {
func accessibleRepositoryCondition(user *User) builder.Cond {
var cond = builder.NewCond()

if user == nil || !user.IsRestricted {
if user == nil || !user.IsRestricted || user.ID <= 0 {
Copy link
Copy Markdown
Member

@guillep2k guillep2k Jan 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it strange that user ==nil enables VisibleTypeLimited orgs three lines below?

I was under the impression that user == nil (or user.ID <= 0) meant anonymous/unidentified.

Copy link
Copy Markdown
Contributor Author

@zeripath zeripath Jan 27, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not enabling it - rather restricting them away further. But I should probably add the user ID <= 0 test to that too - DONE

Copy link
Copy Markdown
Member

@guillep2k guillep2k Jan 27, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not your fault, the code is previous to your PR. I've just noticed it:

cond = cond.Or(builder.And(
			builder.Eq{"`repository`.is_private": false},
			builder.Or(
				//   A. Aren't in organisations  __OR__
				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
				//   B. Isn't a private organisation. Limited is OK as long as we're logged in.
				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.In("visibility", orgVisibilityLimit))))))

If I read this right, it's: user can see it if "repository is not private or (rest of the condition)". A limited org has public repos that anonymous users should not be able to see. This condition will make those repos pass, since they've got is_private == false.

I'm pretty tired, so I might be I'm getting this wrong.

orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate}
if user == nil {
if user == nil || user.ID <= 0 {
orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited)
}
// 1. Be able to see all non-private repositories that either:
Expand Down Expand Up @@ -363,7 +363,8 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
}

// AccessibleRepoIDsQuery queries accessible repository ids. Usable as a subquery wherever repo ids need to be filtered.
func (user *User) AccessibleRepoIDsQuery() *builder.Builder {
func AccessibleRepoIDsQuery(user *User) *builder.Builder {
// NB: Please note this code needs to still work if user is nil
return builder.Select("id").From("repository").Where(accessibleRepositoryCondition(user))
}

Expand Down