improve permission check

yp05327 · yp05327 · commit 0aebdbf8ed31 · 2023-11-10T01:33:58.000Z
diff --git a/routers/web/org/home.go b/routers/web/org/home.go
@@ -157,7 +157,7 @@ func Home(ctx *context.Context) {
 
 	ctx.Data["ShowMemberAndTeamTab"] = ctx.Org.IsMember || len(members) > 0
 
-	profileGitRepo, profileReadmeBlob, profileClose := shared_user.FindUserProfileReadme(ctx)
+	profileGitRepo, profileReadmeBlob, profileClose := shared_user.FindUserProfileReadme(ctx, ctx.Doer)
 	defer profileClose()
 	prepareOrgProfileReadme(ctx, profileGitRepo, profileReadmeBlob)
 
diff --git a/routers/web/shared/user/header.go b/routers/web/shared/user/header.go
@@ -6,7 +6,9 @@ package user
 import (
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/organization"
+	access_model "code.gitea.io/gitea/models/perm/access"
 	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/git"
@@ -84,9 +86,10 @@ func PrepareContextForProfileBigAvatar(ctx *context.Context) {
 	}
 }
 
-func FindUserProfileReadme(ctx *context.Context) (profileGitRepo *git.Repository, profileReadmeBlob *git.Blob, profileClose func()) {
+func FindUserProfileReadme(ctx *context.Context, doer *user_model.User) (profileGitRepo *git.Repository, profileReadmeBlob *git.Blob, profileClose func()) {
 	profileDbRepo, err := repo_model.GetRepositoryByName(ctx, ctx.ContextUser.ID, ".profile")
-	if err == nil && !profileDbRepo.IsEmpty && !profileDbRepo.IsPrivate {
+	perm, err := access_model.GetUserRepoPermission(ctx, profileDbRepo, doer)
+	if err == nil && !profileDbRepo.IsEmpty && perm.CanRead(unit.TypeCode) {
 		if profileGitRepo, err = git.OpenRepository(ctx, profileDbRepo.RepoPath()); err != nil {
 			log.Error("FindUserProfileReadme failed to OpenRepository: %v", err)
 		} else {
@@ -107,7 +110,7 @@ func FindUserProfileReadme(ctx *context.Context) (profileGitRepo *git.Repository
 func RenderUserHeader(ctx *context.Context) {
 	prepareContextForCommonProfile(ctx)
 
-	_, profileReadmeBlob, profileClose := FindUserProfileReadme(ctx)
+	_, profileReadmeBlob, profileClose := FindUserProfileReadme(ctx, ctx.Doer)
 	defer profileClose()
 	ctx.Data["HasProfileReadme"] = profileReadmeBlob != nil
 }
diff --git a/routers/web/user/profile.go b/routers/web/user/profile.go
@@ -64,7 +64,7 @@ func userProfile(ctx *context.Context) {
 		ctx.Data["HeatmapTotalContributions"] = activities_model.GetTotalContributionsInHeatmap(data)
 	}
 
-	profileGitRepo, profileReadmeBlob, profileClose := shared_user.FindUserProfileReadme(ctx)
+	profileGitRepo, profileReadmeBlob, profileClose := shared_user.FindUserProfileReadme(ctx, ctx.Doer)
 	defer profileClose()
 
 	showPrivate := ctx.IsSigned && (ctx.Doer.IsAdmin || ctx.Doer.ID == ctx.ContextUser.ID)

Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ func userProfile(ctx *context.Context) {`
`64`	`64`	`ctx.Data["HeatmapTotalContributions"] = activities_model.GetTotalContributionsInHeatmap(data)`
`65`	`65`	`}`
`66`	`66`
`67`		`- profileGitRepo, profileReadmeBlob, profileClose := shared_user.FindUserProfileReadme(ctx)`
	`67`	`+ profileGitRepo, profileReadmeBlob, profileClose := shared_user.FindUserProfileReadme(ctx, ctx.Doer)`
`68`	`68`	`defer profileClose()`
`69`	`69`
`70`	`70`	`showPrivate := ctx.IsSigned && (ctx.Doer.IsAdmin \|\| ctx.Doer.ID == ctx.ContextUser.ID)`