Do not allow Ghost access to limited visible user/org (go-gitea#21849)

The Ghost user should not be allowed to have access to a limited visible user/org. Co-authored-by: Lauris BH <[email protected]>
KN4CK3R · Nov 20, 2022 · af494e4 · af494e4
1 parent ef08998
commit af494e4
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/models/organization/org.go b/models/organization/org.go
@@ -458,8 +458,9 @@ func CountOrgs(opts FindOrgOptions) (int64, error) {
 
 // HasOrgOrUserVisible tells if the given user can see the given org or user
 func HasOrgOrUserVisible(ctx context.Context, orgOrUser, user *user_model.User) bool {
- // Not SignedUser
- if user == nil {
+ // If user is nil, it's an anonymous user/request.
+ // The Ghost user is handled like an anonymous user.
+ if user == nil || user.IsGhost() {
  return orgOrUser.Visibility == structs.VisibleTypePublic
  }