mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-09-13 14:27:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix: only redirect to a new owner (organization or user) if the user has permissions to view the new owner (#9072)

Browse source 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9072
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
This commit is contained in:
Earl Warren 2025-08-30 13:14:06 +02:00
commit b982fde455
18 changed files with 252 additions and 67 deletions
Download patch file Download diff file Expand all files Collapse all files

11
routers/api/v1/api.go
View file

@ -99,6 +99,7 @@ import (
"forgejo.org/services/auth"
"forgejo.org/services/context"
"forgejo.org/services/forms"
redirect_service "forgejo.org/services/redirect"
_ "forgejo.org/routers/api/v1/swagger" // for swagger generation
@ -153,12 +154,12 @@ func repoAssignment() func(ctx *context.APIContext) {
owner, err = user_model.GetUserByName(ctx, userName)
if err != nil {
if user_model.IsErrUserNotExist(err) {
if redirectUserID, err := user_model.LookupUserRedirect(ctx, userName); err == nil {
if redirectUserID, err := redirect_service.LookupUserRedirect(ctx, ctx.Doer, userName); err == nil {
context.RedirectToUser(ctx.Base, userName, redirectUserID)
} else if user_model.IsErrUserRedirectNotExist(err) {
ctx.NotFound("GetUserByName", err)
} else {
ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)
ctx.Error(http.StatusInternalServerError, "LookupRedirect", err)
}
} else {
ctx.Error(http.StatusInternalServerError, "GetUserByName", err)
@ -173,7 +174,7 @@ func repoAssignment() func(ctx *context.APIContext) {
repo, err := repo_model.GetRepositoryByName(ctx, owner.ID, repoName)
if err != nil {
if repo_model.IsErrRepoNotExist(err) {
redirectRepoID, err := repo_model.LookupRedirect(ctx, owner.ID, repoName)
redirectRepoID, err := redirect_service.LookupRepoRedirect(ctx, ctx.Doer, owner.ID, repoName)
if err == nil {
context.RedirectToRepo(ctx.Base, redirectRepoID)
} else if repo_model.IsErrRedirectNotExist(err) {
@ -641,13 +642,13 @@ func orgAssignment(args ...bool) func(ctx *context.APIContext) {
ctx.Org.Organization, err = organization.GetOrgByName(ctx, ctx.Params(":org"))
if err != nil {
if organization.IsErrOrgNotExist(err) {
redirectUserID, err := user_model.LookupUserRedirect(ctx, ctx.Params(":org"))
redirectUserID, err := redirect_service.LookupUserRedirect(ctx, ctx.Doer, ctx.Params(":org"))
if err == nil {
context.RedirectToUser(ctx.Base, ctx.Params(":org"), redirectUserID)
} else if user_model.IsErrUserRedirectNotExist(err) {
ctx.NotFound("GetOrgByName", err)
} else {
ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)
ctx.Error(http.StatusInternalServerError, "LookupRedirect", err)
}
} else {
ctx.Error(http.StatusInternalServerError, "GetOrgByName", err)