fix: only redirect to a new owner (organization or user) if the user has permissions to view the new owner (#9072)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9072 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2025-09-25 12:15:54 +00:00 · 2025-08-30 13:14:06 +02:00 · 2025-08-30 13:14:06 +02:00 · b982fde455
commit b982fde455
parent 608f9ee8e6 1fc1f24cad
18 changed files with 252 additions and 67 deletions
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@ -31,6 +31,7 @@ import (
 	"forgejo.org/modules/structs"
 	"forgejo.org/modules/util"
 	"forgejo.org/services/context"
+	redirect_service "forgejo.org/services/redirect"
 	repo_service "forgejo.org/services/repository"

 	"github.com/go-chi/cors"
@ -111,7 +112,7 @@ func httpBase(ctx *context.Context) *serviceHandler {
 			return nil
 		}

-		if redirectRepoID, err := repo_model.LookupRedirect(ctx, owner.ID, reponame); err == nil {
+		if redirectRepoID, err := redirect_service.LookupRepoRedirect(ctx, ctx.Doer, owner.ID, reponame); err == nil {
 			context.RedirectToRepo(ctx.Base, redirectRepoID)
 			return nil
 		}