Skip to content

Fix visibility of forked public repos from private orgs #11717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 7, 2020
Merged

Fix visibility of forked public repos from private orgs #11717

merged 5 commits into from
Jun 7, 2020

Conversation

CirnoT
Copy link
Contributor

@CirnoT CirnoT commented Jun 1, 2020
edited
Loading

Ensure that public repos of private orgs (so called internal repos, visible only to members of organization) are set as private when forked.

Most likely kind/security

@CirnoT
Copy link
Contributor Author

CirnoT commented Jun 1, 2020
edited
Loading

Needs additional logic for when org visibility is changed.
Done

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jun 1, 2020
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jun 1, 2020
@CirnoT
Copy link
Contributor Author

CirnoT commented Jun 1, 2020
edited
Loading

Added logic to update forks visibility when org visibility has changed.

@CirnoT CirnoT requested a review from zeripath June 1, 2020 11:48
zeripath
zeripath reviewed Jun 1, 2020
View reviewed changes
@zeripath zeripath added this to the 1.13.0 milestone Jun 1, 2020
@lafriks
Copy link
Member

lafriks commented Jun 1, 2020

For initial yes but I don't think it is good idea to update visibility on main repository visibility change.

@CirnoT
Copy link
Contributor Author

CirnoT commented Jun 1, 2020
edited
Loading

For initial yes but I don't think it is good idea to update visibility on main repository visibility change.

I don't understand. Forked repositories always follow parent, the visibility can not be changed on fork - ever. This PR only fixes it so that organization visibility is also included. This is a security fix as public repository of private organization is visible only to organization members, but upon forking it's visible to everyone. In addition forking can not be disabled so organization owner can never prevent leakage of public repos in a private org.

That being said I agree that forks of public repo should not follow parent when it goes into private mode; in particular this should be solved by decoupling forks from parent (turning them into normal repositories) once parent becomes private. But that is out of the scope for this PR.

guillep2k
guillep2k approved these changes Jun 5, 2020
View reviewed changes
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jun 5, 2020
@CirnoT
Copy link
Contributor Author

CirnoT commented Jun 6, 2020
edited
Loading

Ready for merge, addressed @guillep2k questions here: #11717 (comment)

@zeripath
Copy link
Contributor

zeripath commented Jun 6, 2020

make lg-tm work

@techknowlogick
Copy link
Member

ping LG-TM

@techknowlogick techknowlogick merged commit 94f60e1 into go-gitea:master Jun 7, 2020
@CirnoT CirnoT deleted the internal-visibility branch June 7, 2020 08:12
ydelafollye pushed a commit to ydelafollye/gitea that referenced this pull request Jul 31, 2020
@CirnoT @lunny
@zeripath @techknowlogick
Fix visibility of forked public repos from private orgs (go-gitea#11717)
a0d8ebc 
* Fix visibility of forked public repos from private orgs

* update forks visibility when org visibility is changed

Co-authored-by: Lunny Xiao <[email protected]>
Co-authored-by: zeripath <[email protected]>
Co-authored-by: techknowlogick <[email protected]>
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@zeripath zeripath zeripath approved these changes

@guillep2k guillep2k guillep2k approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.13.0
Development

Successfully merging this pull request may close these issues.
7 participants
@CirnoT @lafriks @zeripath @techknowlogick @guillep2k @GiteaBot @lunny