Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User with limited visibility cannot view its own profile #21206

Closed
patrickbucher opened this issue Sep 19, 2022 · 0 comments · Fixed by #21210
Closed

User with limited visibility cannot view its own profile #21206

patrickbucher opened this issue Sep 19, 2022 · 0 comments · Fixed by #21210
Labels
type/bug
Milestone
1.17.3

Comments

@patrickbucher
Copy link

Description

A user with limited visibility cannot open the profile page and gets an HTTPNotFound error (404). It works if the user sets the visibility to public.

In models\user\user.go (IsUserVisibleToViewer) no check is made if the user in question is also the viewer, which should be allowed in my opinion.

As an admin, I can see my profile and all the other users profiles.

Log (user is called foo_bar):

 router: completed GET /foo_bar for 127.0.0.1:54370, 404 Not Found in 5.4ms @ user/profile.go:29(user.Profile)

Gitea Version

1.17.2

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.20.1

Operating System

Debian 10 Buster

How are you running Gitea?

Binary using systemd service unit.

Database

PostgreSQL
@lunny lunny added this to the 1.17.3 milestone Sep 19, 2022
@KN4CK3R KN4CK3R mentioned this issue Sep 19, 2022
Merged
@lunny lunny mentioned this issue Sep 19, 2022
Closed
wxiaoguang pushed a commit that referenced this issue Sep 20, 2022
@KN4CK3R @6543 @lunny
Fix user visible check (#21210)
1b630ff 
Fixes #21206

If user and viewer are equal the method should return true.
Also the common organization check was wrong as `count` can never be
less then 0.

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
wxiaoguang pushed a commit that referenced this issue Sep 20, 2022
@lunny
Fix limited user cannot view himself's profile (#21212)
f663773 
backport #21210, fix #21206

If user and viewer are equal the method should return true.
Also the common organization check was wrong as count can never be less then 0.

Tests are on main branch.
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
1.17.3
Development

Successfully merging a pull request may close this issue.

Fix user visible check KN4CK3R/gitea
Fix limited user cannot view self lunny/gitea
2 participants
@lunny @patrickbucher