From 88d5275614a82f01ddf728435803ff6000a2262e Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Thu, 17 Nov 2022 20:29:33 +0100 Subject: [PATCH] Do not allow Ghost access to limited visible user/org (#21849) The Ghost user should not be allowed to have access to a limited visible user/org. Co-authored-by: Lauris BH --- models/organization/org.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/models/organization/org.go b/models/organization/org.go index af9c1f307c0..6bb982b2814 100644 --- a/models/organization/org.go +++ b/models/organization/org.go @@ -458,8 +458,9 @@ func CountOrgs(opts FindOrgOptions) (int64, error) { // HasOrgOrUserVisible tells if the given user can see the given org or user func HasOrgOrUserVisible(ctx context.Context, orgOrUser, user *user_model.User) bool { - // Not SignedUser - if user == nil { + // If user is nil, it's an anonymous user/request. + // The Ghost user is handled like an anonymous user. + if user == nil || user.IsGhost() { return orgOrUser.Visibility == structs.VisibleTypePublic }