From 923e84d4e5b721bbd0b86a8a19d4561e9ba07872 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?=
 =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= <i.am.the.tablet@proton.me>
Date: Wed, 13 Aug 2025 21:59:19 -0400
Subject: [PATCH] update `AccessibleGroupCondition` function to take a minimum
 `perm.AccessMode` as a parameter

---
 models/group/group.go      | 14 +++++++-------
 models/group/group_list.go |  6 ++++--
 routers/api/v1/api.go      |  8 ++------
 3 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/models/group/group.go b/models/group/group.go
index 97ca825b21..9130d3628c 100644
--- a/models/group/group.go
+++ b/models/group/group.go
@@ -94,7 +94,7 @@ func (g *Group) LoadSubgroups(ctx context.Context, recursive bool) error {
 }
 
 func (g *Group) LoadAccessibleSubgroups(ctx context.Context, recursive bool, doer *user_model.User) error {
-	return g.doLoadSubgroups(ctx, recursive, AccessibleGroupCondition(doer, unit.TypeInvalid), 0)
+	return g.doLoadSubgroups(ctx, recursive, AccessibleGroupCondition(doer, unit.TypeInvalid, perm.AccessModeRead), 0)
 }
 
 func (g *Group) LoadAttributes(ctx context.Context) error {
@@ -129,13 +129,12 @@ func (g *Group) LoadOwner(ctx context.Context) error {
 	return err
 }
 
-func (g *Group) CanAccess(ctx context.Context, userID int64) (bool, error) {
-	return g.CanAccessAtLevel(ctx, userID, perm.AccessModeRead)
+func (g *Group) CanAccess(ctx context.Context, user *user_model.User) (bool, error) {
+	return g.CanAccessAtLevel(ctx, user, perm.AccessModeRead)
 }
 
-func (g *Group) CanAccessAtLevel(ctx context.Context, userID int64, level perm.AccessMode) (bool, error) {
-	return db.GetEngine(ctx).
-		Where(UserOrgTeamPermCond("id", userID, level)).Table("repo_group").Exist()
+func (g *Group) CanAccessAtLevel(ctx context.Context, user *user_model.User, level perm.AccessMode) (bool, error) {
+	return db.GetEngine(ctx).Where(AccessibleGroupCondition(user, unit.TypeInvalid, level).And(builder.Eq{"`repo_group`.id": g.ID})).Exist(&Group{})
 }
 
 func (g *Group) IsOwnedBy(ctx context.Context, userID int64) (bool, error) {
@@ -337,9 +336,10 @@ func UpdateGroup(ctx context.Context, group *Group) error {
 func MoveGroup(ctx context.Context, group *Group, newParent int64, newSortOrder int) error {
 	sess := db.GetEngine(ctx)
 	ng, err := GetGroupByID(ctx, newParent)
-	if !IsErrGroupNotExist(err) {
+	if err != nil && !IsErrGroupNotExist(err) {
 		return err
 	}
+
 	if ng != nil {
 		if ng.OwnerID != group.OwnerID {
 			return fmt.Errorf("group[%d]'s ownerID is not equal to new parent group[%d]'s owner ID", group.ID, ng.ID)
diff --git a/models/group/group_list.go b/models/group/group_list.go
index 133f8dbd64..81387ba091 100644
--- a/models/group/group_list.go
+++ b/models/group/group_list.go
@@ -33,6 +33,7 @@ func userOrgTeamGroupBuilder(userID int64) *builder.Builder {
 		Where(builder.Eq{"`team_user`.uid": userID})
 }
 
+// UserOrgTeamPermCond returns a condition to select ids of groups that a user can access at the level described by `level`
 func UserOrgTeamPermCond(idStr string, userID int64, level perm.AccessMode) builder.Cond {
 	selCond := userOrgTeamGroupBuilder(userID)
 	selCond = selCond.InnerJoin("team", "`team`.id = `repo_group_team`.team_id").
@@ -60,7 +61,7 @@ func userOrgTeamUnitGroupBuilder(userID int64, unitType unit.Type) *builder.Buil
 }
 
 // AccessibleGroupCondition returns a condition that matches groups which a user can access via the specified unit
-func AccessibleGroupCondition(user *user_model.User, unitType unit.Type) builder.Cond {
+func AccessibleGroupCondition(user *user_model.User, unitType unit.Type, minMode perm.AccessMode) builder.Cond {
 	cond := builder.NewCond()
 	if user == nil || !user.IsRestricted || user.ID <= 0 {
 		orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate}
@@ -68,7 +69,7 @@ func AccessibleGroupCondition(user *user_model.User, unitType unit.Type) builder
 			orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited)
 		}
 		cond = cond.Or(builder.And(
-			builder.Eq{"`repo_group`.is_private": false},
+			builder.Eq{"`repo_group`.visibility": structs.VisibleTypePublic},
 			builder.NotIn("`repo_group`.owner_id", builder.Select("id").From("`user`").Where(
 				builder.And(
 					builder.Eq{"type": user_model.UserTypeOrganization},
@@ -76,6 +77,7 @@ func AccessibleGroupCondition(user *user_model.User, unitType unit.Type) builder
 			))))
 	}
 	if user != nil {
+		cond = cond.Or(UserOrgTeamPermCond("`repo_group`.id", user.ID, minMode))
 		if unitType == unit.TypeInvalid {
 			cond = cond.Or(
 				UserOrgTeamGroupCond("`repo_group`.id", user.ID),
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 9c89c31831..98c8ab11de 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -507,12 +507,8 @@ func reqGroupMembership(mode perm.AccessMode, needsCreatePerm bool) func(ctx *co
 			ctx.APIErrorInternal(err)
 			return
 		}
-		var canAccess bool
-		if ctx.IsSigned {
-			canAccess, err = g.CanAccessAtLevel(ctx, ctx.Doer.ID, mode)
-		} else {
-			canAccess, err = g.CanAccessAtLevel(ctx, 0, mode)
-		}
+		canAccess, err := g.CanAccessAtLevel(ctx, ctx.Doer, mode)
+
 		if err != nil {
 			ctx.APIErrorInternal(err)
 			return