From 496140d5375f75678e900a4aaa06150dcea2e78b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Fri, 8 May 2026 18:32:48 -0400 Subject: [PATCH] refactor: update `groupAssignment` func ensure that groups that have private parents remain inaccessible --- services/context/group.go | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/services/context/group.go b/services/context/group.go index 8f61c50b74..7cf31a9e2e 100644 --- a/services/context/group.go +++ b/services/context/group.go @@ -120,6 +120,11 @@ func groupAssignment(ctx commonCtx, doer *user_model.User, isSigned bool, handle handleOtherError("error checking group access", err) return } + privateBecauseOfParent, err := group.IsPrivateBecauseOfParentPermissions(ctx, doer) + if err != nil { + handleOtherError("error checking group access", err) + return + } if group.Owner == nil { err = group.LoadOwner(ctx) if err != nil { @@ -255,6 +260,9 @@ func groupAssignment(ctx commonCtx, doer *user_model.User, isSigned bool, handle } repoGroup.IsGroupAdmin = repoGroup.IsGroupAdmin || isAdmin } + if !repoGroup.IsOwner && !repoGroup.IsGroupAdmin { + canAccess = canAccess && !privateBecauseOfParent + } assign(repoGroup, canAccess) } @@ -296,7 +304,7 @@ func GroupAssignmentWeb(args GroupAssignmentOptions) func(ctx *Context) { is, _ := organization.IsPublicMembership(ctx, ctx.Org.Organization.ID, uid) return is } - ctx.Data["CanReadProjects"] = repoGroup.CanReadUnit(ctx, unit.TypeProjects) + ctx.Data["CanReadProjects"] = repoGroup.CanReadUnit(ctx, ctx.Doer, unit.TypeProjects) ctx.Data["CanCreateOrgRepo"] = repoGroup.CanCreateRepoOrGroup ctx.Data["IsGroupAdmin"] = repoGroup.IsGroupAdmin @@ -356,10 +364,14 @@ func GroupAssignmentAPI() func(ctx *APIContext) { ctx.APIErrorNotFound(nil) return } - - if !canAccess && group.Visibility != structs.VisibleTypePublic { + if ctx.IsSigned { + if !canAccess && group.Visibility != structs.VisibleTypePublic { + ctx.APIErrorNotFound(nil) + return + } + } + if !canAccess { ctx.APIErrorNotFound(nil) - return } ctx.RepoGroup = repoGroup })