Do not allow Ghost access to limited visible user/org (#21849) (#21875)

Backport of #21849

Co-authored-by: Lauris BH <lauris@nix.lv>
tokarchuk/v1.17
KN4CK3R 2 years ago committed by GitHub
parent 56716f5834
commit 87630a6583
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 5
      models/organization/org.go

@ -448,8 +448,9 @@ func CountOrgs(opts FindOrgOptions) (int64, error) {
// HasOrgOrUserVisible tells if the given user can see the given org or user // HasOrgOrUserVisible tells if the given user can see the given org or user
func HasOrgOrUserVisible(ctx context.Context, orgOrUser, user *user_model.User) bool { func HasOrgOrUserVisible(ctx context.Context, orgOrUser, user *user_model.User) bool {
// Not SignedUser // If user is nil, it's an anonymous user/request.
if user == nil { // The Ghost user is handled like an anonymous user.
if user == nil || user.IsGhost() {
return orgOrUser.Visibility == structs.VisibleTypePublic return orgOrUser.Visibility == structs.VisibleTypePublic
} }

Loading…
Cancel
Save