Allow access to the Public Organization Member lists with minimal permissions (#20330)

Examining Organization membership should not necessarily require sign-in if the organization is public and the members are public. Therefore we should adjust `/org/{org}/members` to not require login. Fix #7501 Signed-off-by: a1012112796 <1012112796@qq.com> Co-authored-by: zeripath <art27@cantab.net>
2025-10-31 22:28:05 +01:00 · 2022-07-15 22:21:54 +08:00 · 2022-07-15 22:21:54 +08:00 · 4f267ef643
commit 4f267ef643
parent 7d20c8323a
4 changed files with 24 additions and 11 deletions
--- a/modules/context/org.go
+++ b/modules/context/org.go
@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/structs"
 )

 // Organization contains organization context
@ -69,6 +70,20 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
 		return
 	}
 	org := ctx.Org.Organization
+
+	// Handle Visibility
+	if org.Visibility != structs.VisibleTypePublic && !ctx.IsSigned {
+		// We must be signed in to see limited or private organizations
+		ctx.NotFound("OrgAssignment", err)
+		return
+	}
+
+	if org.Visibility == structs.VisibleTypePrivate {
+		requireMember = true
+	} else if ctx.IsSigned && ctx.Doer.IsRestricted {
+		requireMember = true
+	}
+
 	ctx.ContextUser = org.AsUser()
 	ctx.Data["Org"] = org

--- a/routers/web/org/home.go
+++ b/routers/web/org/home.go
@ -39,11 +39,6 @@ func Home(ctx *context.Context) {

 	org := ctx.Org.Organization

-	if !organization.HasOrgOrUserVisible(ctx, org.AsUser(), ctx.Doer) {
-		ctx.NotFound("HasOrgOrUserVisible", nil)
-		return
-	}
-
 	ctx.Data["PageIsUserProfile"] = true
 	ctx.Data["Title"] = org.DisplayName()
 	if len(org.Description) != 0 {
--- a/routers/web/web.go
+++ b/routers/web/web.go
@ -610,6 +610,12 @@ func RegisterRoutes(m *web.Route) {
 	}

 	// ***** START: Organization *****
+	m.Group("/org", func() {
+		m.Group("/{org}", func() {
+			m.Get("/members", org.Members)
+		}, context.OrgAssignment())
+	}, ignSignIn)
+
 	m.Group("/org", func() {
 		m.Group("", func() {
 			m.Get("/create", org.Create)
@ -625,7 +631,6 @@ func RegisterRoutes(m *web.Route) {
 			m.Get("/pulls/{team}", user.Pulls)
 			m.Get("/milestones", reqMilestonesDashboardPageEnabled, user.Milestones)
 			m.Get("/milestones/{team}", reqMilestonesDashboardPageEnabled, user.Milestones)
-			m.Get("/members", org.Members)
 			m.Post("/members/action/{action}", org.MembersAction)
 			m.Get("/teams", org.Teams)
 		}, context.OrgAssignment(true, false, true))
--- a/templates/org/home.tmpl
+++ b/templates/org/home.tmpl
@ -41,11 +41,9 @@
 				{{end}}
 				<h4 class="ui top attached header df">
 					<strong class="f1">{{.locale.Tr "org.people"}}</strong>
-					{{if .IsOrganizationMember}}
-						<div class="ui">
-							<a class="text grey dif ac" href="{{.OrgLink}}/members"><span>{{.Org.NumMembers}}</span> {{svg "octicon-chevron-right"}}</a>
-						</div>
-					{{end}}
+					<div class="ui">
+						<a class="text grey dif ac" href="{{.OrgLink}}/members"><span>{{.MembersTotal}}</span> {{svg "octicon-chevron-right"}}</a>
+					</div>
 				</h4>
 				<div class="ui attached segment members">
 					{{$isMember := .IsOrganizationMember}}