From 667ddab36af2e77a3449e4eff3fc975160a0733e Mon Sep 17 00:00:00 2001 From: Ross Golder Date: Sat, 14 Mar 2026 14:01:05 +0700 Subject: [PATCH] fix: RecalculateUserAccess sets incorrect minMode for public repos Public repositories were granted AccessModeWrite as the minimum access mode, which incorrectly elevated access for all users on public repos. The minimum should be AccessModeNone, with access granted explicitly through collaborator and team memberships. --- models/perm/access/access.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/models/perm/access/access.go b/models/perm/access/access.go index acc34c434e..e9e5a0c026 100644 --- a/models/perm/access/access.go +++ b/models/perm/access/access.go @@ -231,10 +231,7 @@ func RecalculateTeamAccesses(ctx context.Context, repo *repo_model.Repository, i // RecalculateUserAccess recalculates new access for a single user // Usable if we know access only affected one user func RecalculateUserAccess(ctx context.Context, repo *repo_model.Repository, uid int64) (err error) { - minMode := perm.AccessModeRead - if !repo.IsPrivate { - minMode = perm.AccessModeWrite - } + minMode := perm.AccessModeNone accessMode := perm.AccessModeNone e := db.GetEngine(ctx)