mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-18 05:03:00 +02:00
2828e4bf72
The GET /orgs/{org}/public_members and /public_members/{username}
endpoints returned membership information without checking whether the
requester is allowed to see the organization. For a private org, any
authenticated user could probe public_members/{username} and infer
membership from the 204 vs 404 response, disclosing data that is hidden
in the web UI.
Gate both handlers on HasOrgOrUserVisible so they return 404 when the
doer cannot see the organization, matching the existing behaviour of the
org GET endpoint.
Assisted-by: Claude:claude-opus-4-8