From cb563434eedb84dd409f31f7d602d0eb73c79ccb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?=
 =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= <i.am.the.tablet@proton.me>
Date: Sun, 30 Nov 2025 14:24:40 -0500
Subject: [PATCH] update group web context

ensure we 404 if the group is not accessible
---
 services/context/group.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/services/context/group.go b/services/context/group.go
index 027417257c..83ed7debf2 100644
--- a/services/context/group.go
+++ b/services/context/group.go
@@ -106,6 +106,16 @@ func GroupAssignment(args GroupAssignmentOptions) func(ctx *Context) {
 			ctx.NotFound(err)
 			return
 		}
+		canAccess, err := ctx.RepoGroup.Group.CanAccess(ctx, ctx.Doer)
+		if err != nil {
+			ctx.ServerError("error checking group access", err)
+			return
+		}
+		if !canAccess {
+			ctx.NotFound(nil)
+			return
+		}
+
 		if ctx.RepoGroup.Group.Visibility == structs.VisibleTypePrivate {
 			args.RequireMember = true
 		} else if ctx.IsSigned && ctx.Doer.IsRestricted {