mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-14 06:47:16 +02:00
24ce5ae082
The GET /api/v1/orgs/{org}/labels and GET /api/v1/orgs/{org}/labels/{id}
endpoints did not check whether the caller could see the organization, so
labels of a private org were disclosed to non-members (and anonymously for
the list route). Add a reqOrgVisible() middleware mirroring the visibility
check used by org.Get and apply it to the labels group.