From b0257d14683b498a202ebcc2fad9edc5a653542f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?=
 =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= <i.am.the.tablet@proton.me>
Date: Sat, 20 Dec 2025 15:22:33 -0500
Subject: [PATCH] fix: update `CanAccessAtLevel` func

ensure that public groups can always be accessed if requested level == read
---
 models/group/group.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/models/group/group.go b/models/group/group.go
index de87cdf3c0..d2c9f19fe0 100644
--- a/models/group/group.go
+++ b/models/group/group.go
@@ -137,7 +137,11 @@ func (g *Group) CanAccess(ctx context.Context, user *user_model.User) (bool, err
 }
 
 func (g *Group) CanAccessAtLevel(ctx context.Context, user *user_model.User, level perm.AccessMode) (bool, error) {
-	return db.GetEngine(ctx).Where(AccessibleGroupCondition(user, unit.TypeInvalid, level).And(builder.Eq{"`repo_group`.id": g.ID})).Exist(&Group{})
+	orCond := builder.Or(AccessibleGroupCondition(user, unit.TypeInvalid, level))
+	if level == perm.AccessModeRead {
+		orCond = orCond.Or(builder.Eq{"`repo_group`.visibility": structs.VisibleTypePublic})
+	}
+	return db.GetEngine(ctx).Table(g.TableName()).Where(orCond.And(builder.Eq{"`repo_group`.id": g.ID})).Exist()
 }
 
 func (g *Group) IsOwnedBy(ctx context.Context, userID int64) (bool, error) {