Skip to content

Fix org member visibility check #28837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Fix org member visibility check #28837

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions models/fixtures/org_user.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,3 +99,15 @@
uid: 5
org_id: 36
is_public: true

-
id: 18
uid: 31
org_id: 3
is_public: false

-
id: 19
uid: 33
org_id: 3
is_public: false
2 changes: 1 addition & 1 deletion models/fixtures/team.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@
name: test_team
authorize: 2 # write
num_repos: 1
num_members: 1
num_members: 3
includes_all_repositories: false
can_create_org_repo: false

Expand Down
12 changes: 12 additions & 0 deletions models/fixtures/team_user.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,3 +129,15 @@
org_id: 17
team_id: 9
uid: 15

-
id: 23
org_id: 3
team_id: 7
uid: 31

-
id: 24
org_id: 3
team_id: 7
uid: 33
57 changes: 48 additions & 9 deletions models/organization/org.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,17 +194,54 @@ func (org *Organization) CanCreateRepo() bool {
// FindOrgMembersOpts represensts find org members conditions
type FindOrgMembersOpts struct {
db.ListOptions
OrgID int64
PublicOnly bool
OrgID int64
DoerID int64
IsAdmin bool
IsOrgMember bool
IsOrgAdmin bool
}

// FindOrgMembersOptsCondition creates a query condition according find org members options
func FindOrgMembersOptsCondition(ctx context.Context, opts *FindOrgMembersOpts) (builder.Cond, error) {
cond := builder.And(builder.Eq{"`org_user`.org_id": opts.OrgID})

// for no-login user, they can only see public users with public visibility
isPublic := true
userVisibility := structs.VisibleTypePublic

if opts.DoerID != 0 {
userVisibility = structs.VisibleTypeLimited

// only org members and site admins can see private users in the org
// users with private visibility can not be seen in this case
isPublic = !opts.IsOrgMember && !opts.IsAdmin

// only site admin or org admin can see private users with private visibility
if opts.IsAdmin || opts.IsOrgAdmin {
userVisibility = structs.VisibleTypePrivate
}
}
visibilityCond := builder.And(builder.Lte{"`user`.visibility": userVisibility})
if isPublic {
visibilityCond = visibilityCond.And(builder.Eq{"`org_user`.is_public": isPublic})
}

cond = cond.And(builder.Or(
// doers can see themselves
builder.Eq{"`user`.id": opts.DoerID},
visibilityCond,
))
return cond, nil
}

// CountOrgMembers counts the organization's members
func CountOrgMembers(ctx context.Context, opts *FindOrgMembersOpts) (int64, error) {
sess := db.GetEngine(ctx).Where("org_id=?", opts.OrgID)
if opts.PublicOnly {
sess.And("is_public = ?", true)
sess := db.GetEngine(ctx).Join("INNER", "`user`", "`user`.id == `org_user`.uid")
cond, err := FindOrgMembersOptsCondition(ctx, opts)
if err != nil {
return 0, err
}
return sess.Count(new(OrgUser))
return sess.Where(cond).Count(new(OrgUser))
}

// FindOrgMembers loads organization members according conditions
Expand Down Expand Up @@ -519,10 +556,12 @@ func GetOrgsCanCreateRepoByUserID(ctx context.Context, userID int64) ([]*Organiz

// GetOrgUsersByOrgID returns all organization-user relations by organization ID.
func GetOrgUsersByOrgID(ctx context.Context, opts *FindOrgMembersOpts) ([]*OrgUser, error) {
sess := db.GetEngine(ctx).Where("org_id=?", opts.OrgID)
if opts.PublicOnly {
sess.And("is_public = ?", true)
sess := db.GetEngine(ctx).Join("INNER", "`user`", "`user`.id == `org_user`.uid")
cond, err := FindOrgMembersOptsCondition(ctx, opts)
if err != nil {
return nil, err
}
sess = sess.Where(cond)
if opts.ListOptions.PageSize > 0 {
sess = db.SetSessionPagination(sess, opts)

Expand Down
129 changes: 126 additions & 3 deletions models/organization/org_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,13 +210,39 @@ func TestFindOrgs(t *testing.T) {
func TestGetOrgUsersByOrgID(t *testing.T) {
assert.NoError(t, unittest.PrepareTestDatabase())

// no-login user can see public user with public visibility
orgUsers, err := organization.GetOrgUsersByOrgID(db.DefaultContext, &organization.FindOrgMembersOpts{
ListOptions: db.ListOptions{},
OrgID: 3,
PublicOnly: false,
})
assert.NoError(t, err)
if assert.Len(t, orgUsers, 3) {
if assert.Len(t, orgUsers, 2) {
assert.Equal(t, organization.OrgUser{
ID: orgUsers[0].ID,
OrgID: 3,
UID: 2,
IsPublic: true,
}, *orgUsers[0])
assert.Equal(t, organization.OrgUser{
ID: orgUsers[1].ID,
OrgID: 3,
UID: 28,
IsPublic: true,
}, *orgUsers[1])
}

// org member can see private users with public and limited visibility and self
// user 31 has private user visibility
orgUsers, err = organization.GetOrgUsersByOrgID(db.DefaultContext, &organization.FindOrgMembersOpts{
ListOptions: db.ListOptions{},
OrgID: 3,
DoerID: 31,
IsAdmin: false,
IsOrgMember: true,
IsOrgAdmin: false,
})
assert.NoError(t, err)
if assert.Len(t, orgUsers, 5) {
assert.Equal(t, organization.OrgUser{
ID: orgUsers[0].ID,
OrgID: 3,
Expand All @@ -235,12 +261,109 @@ func TestGetOrgUsersByOrgID(t *testing.T) {
UID: 28,
IsPublic: true,
}, *orgUsers[2])
assert.Equal(t, organization.OrgUser{
ID: orgUsers[3].ID,
OrgID: 3,
UID: 31,
IsPublic: false,
}, *orgUsers[3])
assert.Equal(t, organization.OrgUser{
ID: orgUsers[4].ID,
OrgID: 3,
UID: 33,
IsPublic: false,
}, *orgUsers[4])
}

// org admin can see user all users
orgUsers, err = organization.GetOrgUsersByOrgID(db.DefaultContext, &organization.FindOrgMembersOpts{
ListOptions: db.ListOptions{},
OrgID: 3,
DoerID: 28,
IsAdmin: false,
IsOrgMember: true,
IsOrgAdmin: true,
})
assert.NoError(t, err)
if assert.Len(t, orgUsers, 5) {
assert.Equal(t, organization.OrgUser{
ID: orgUsers[0].ID,
OrgID: 3,
UID: 2,
IsPublic: true,
}, *orgUsers[0])
assert.Equal(t, organization.OrgUser{
ID: orgUsers[1].ID,
OrgID: 3,
UID: 4,
IsPublic: false,
}, *orgUsers[1])
assert.Equal(t, organization.OrgUser{
ID: orgUsers[2].ID,
OrgID: 3,
UID: 28,
IsPublic: true,
}, *orgUsers[2])
assert.Equal(t, organization.OrgUser{
ID: orgUsers[3].ID,
OrgID: 3,
UID: 31,
IsPublic: false,
}, *orgUsers[3])
assert.Equal(t, organization.OrgUser{
ID: orgUsers[4].ID,
OrgID: 3,
UID: 33,
IsPublic: false,
}, *orgUsers[4])
}

// admin can see user all users
orgUsers, err = organization.GetOrgUsersByOrgID(db.DefaultContext, &organization.FindOrgMembersOpts{
ListOptions: db.ListOptions{},
OrgID: 3,
DoerID: 1,
IsAdmin: true,
IsOrgMember: false,
IsOrgAdmin: false,
})
assert.NoError(t, err)
if assert.Len(t, orgUsers, 5) {
assert.Equal(t, organization.OrgUser{
ID: orgUsers[0].ID,
OrgID: 3,
UID: 2,
IsPublic: true,
}, *orgUsers[0])
assert.Equal(t, organization.OrgUser{
ID: orgUsers[1].ID,
OrgID: 3,
UID: 4,
IsPublic: false,
}, *orgUsers[1])
assert.Equal(t, organization.OrgUser{
ID: orgUsers[2].ID,
OrgID: 3,
UID: 28,
IsPublic: true,
}, *orgUsers[2])
assert.Equal(t, organization.OrgUser{
ID: orgUsers[3].ID,
OrgID: 3,
UID: 31,
IsPublic: false,
}, *orgUsers[3])
assert.Equal(t, organization.OrgUser{
ID: orgUsers[4].ID,
OrgID: 3,
UID: 33,
IsPublic: false,
}, *orgUsers[4])
}

orgUsers, err = organization.GetOrgUsersByOrgID(db.DefaultContext, &organization.FindOrgMembersOpts{
ListOptions: db.ListOptions{},
OrgID: unittest.NonexistentID,
PublicOnly: false,
})
assert.NoError(t, err)
assert.Len(t, orgUsers, 0)
Expand Down
11 changes: 7 additions & 4 deletions modules/context/org.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ type Organization struct {
Organization *organization.Organization
OrgLink string
CanCreateOrgRepo bool
PublicMemberOnly bool // Only display public members

Team *organization.Team
Teams []*organization.Team
Expand Down Expand Up @@ -174,10 +173,14 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
ctx.Data["OrgLink"] = ctx.Org.OrgLink

// Member
ctx.Org.PublicMemberOnly = ctx.Doer == nil || !ctx.Org.IsMember && !ctx.Doer.IsAdmin
opts := &organization.FindOrgMembersOpts{
OrgID: org.ID,
PublicOnly: ctx.Org.PublicMemberOnly,
OrgID: org.ID,
}
if ctx.Doer != nil {
opts.DoerID = ctx.Doer.ID
opts.IsAdmin = ctx.Doer.IsAdmin
opts.IsOrgMember = ctx.Org.IsMember
opts.IsOrgAdmin = ctx.Org.IsTeamAdmin
}
ctx.Data["NumMembers"], err = organization.CountOrgMembers(ctx, opts)
if err != nil {
Expand Down
18 changes: 17 additions & 1 deletion routers/api/v1/org/member.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,26 @@ import (
func listMembers(ctx *context.APIContext, publicOnly bool) {
opts := &organization.FindOrgMembersOpts{
OrgID: ctx.Org.Organization.ID,
PublicOnly: publicOnly,
ListOptions: utils.GetListOptions(ctx),
}

if ctx.Doer != nil {
opts.DoerID = ctx.Doer.ID

var err error
opts.IsOrgMember, err = ctx.Org.Organization.IsOrgMember(ctx, ctx.Doer.ID)
if err != nil {
ctx.InternalServerError(err)
return
}
opts.IsOrgAdmin, err = ctx.Org.Organization.IsOrgAdmin(ctx, ctx.Doer.ID)
if err != nil {
ctx.InternalServerError(err)
return
}

}

count, err := organization.CountOrgMembers(ctx, opts)
if err != nil {
ctx.InternalServerError(err)
Expand Down
7 changes: 6 additions & 1 deletion routers/web/org/home.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,9 +122,14 @@ func Home(ctx *context.Context) {

opts := &organization.FindOrgMembersOpts{
OrgID: org.ID,
PublicOnly: ctx.Org.PublicMemberOnly,
ListOptions: db.ListOptions{Page: 1, PageSize: 25},
}
if ctx.Doer != nil {
opts.DoerID = ctx.Doer.ID
opts.IsAdmin = ctx.Doer.IsAdmin
opts.IsOrgMember = ctx.Org.IsMember
opts.IsOrgAdmin = ctx.Org.IsTeamAdmin
}
members, _, err := organization.FindOrgMembers(ctx, opts)
if err != nil {
ctx.ServerError("FindOrgMembers", err)
Expand Down
15 changes: 10 additions & 5 deletions routers/web/org/members.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,19 +33,24 @@ func Members(ctx *context.Context) {
}

opts := &organization.FindOrgMembersOpts{
OrgID: org.ID,
PublicOnly: true,
OrgID: org.ID,
}

if ctx.Doer != nil {
isMember, err := ctx.Org.Organization.IsOrgMember(ctx, ctx.Doer.ID)
opts.DoerID = ctx.Doer.ID

var err error
opts.IsOrgMember, err = ctx.Org.Organization.IsOrgMember(ctx, ctx.Doer.ID)
if err != nil {
ctx.Error(http.StatusInternalServerError, "IsOrgMember")
return
}
opts.PublicOnly = !isMember && !ctx.Doer.IsAdmin
opts.IsOrgAdmin, err = ctx.Org.Organization.IsOrgAdmin(ctx, ctx.Doer.ID)
if err != nil {
ctx.Error(http.StatusInternalServerError, "IsOrgAdmin")
return
}
}
ctx.Data["PublicOnly"] = opts.PublicOnly

total, err := organization.CountOrgMembers(ctx, opts)
if err != nil {
Expand Down