summaryrefslogtreecommitdiffstats
path: root/models/organization
diff options
context:
space:
mode:
authorKN4CK3R <admin@oldschoolhack.me>2022-11-17 20:29:33 +0100
committerGitHub <noreply@github.com>2022-11-17 20:29:33 +0100
commit88d5275614a82f01ddf728435803ff6000a2262e (patch)
treeb3f24770298f8533abe3d6b716bee6d7dec71c10 /models/organization
parentFix setting HTTP headers after write (#21833) (diff)
downloadforgejo-88d5275614a82f01ddf728435803ff6000a2262e.tar.xz
forgejo-88d5275614a82f01ddf728435803ff6000a2262e.zip
Do not allow Ghost access to limited visible user/org (#21849)
The Ghost user should not be allowed to have access to a limited visible user/org. Co-authored-by: Lauris BH <lauris@nix.lv>
Diffstat (limited to 'models/organization')
-rw-r--r--models/organization/org.go5
1 files changed, 3 insertions, 2 deletions
diff --git a/models/organization/org.go b/models/organization/org.go
index af9c1f307c..6bb982b281 100644
--- a/models/organization/org.go
+++ b/models/organization/org.go
@@ -458,8 +458,9 @@ func CountOrgs(opts FindOrgOptions) (int64, error) {
// HasOrgOrUserVisible tells if the given user can see the given org or user
func HasOrgOrUserVisible(ctx context.Context, orgOrUser, user *user_model.User) bool {
- // Not SignedUser
- if user == nil {
+ // If user is nil, it's an anonymous user/request.
+ // The Ghost user is handled like an anonymous user.
+ if user == nil || user.IsGhost() {
return orgOrUser.Visibility == structs.VisibleTypePublic
}