Skip to content

Fix org permission API visibility checks for hidden members and private orgs#36798

Merged
lunny merged 7 commits intogo-gitea:mainfrom
lunny:lunny/fix_org_permission
Mar 6, 2026
Merged

Fix org permission API visibility checks for hidden members and private orgs#36798
lunny merged 7 commits intogo-gitea:mainfrom
lunny:lunny/fix_org_permission

Conversation

@lunny
Copy link
Copy Markdown
Member

@lunny lunny commented Mar 2, 2026
edited
Loading

  • fix wrong parameter of HasOrgOrUserVisible in routers/api/v1/org/org.go
  • add integration tests covering the bug fix
  • merge permissions API tests

Generated by a coding agent with Codex 5.2

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 2, 2026
@github-actions github-actions bot added modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code labels Mar 2, 2026
wxiaoguang
wxiaoguang reviewed Mar 2, 2026
View reviewed changes
wxiaoguang
wxiaoguang previously requested changes Mar 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@wxiaoguang wxiaoguang left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't seem right

If this logic is right, then HasOrgOrUserVisible is wrong

@GiteaBot GiteaBot added lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Mar 2, 2026
@lunny
Copy link
Copy Markdown
Member Author

lunny commented Mar 2, 2026

Doesn't seem right

If this logic is right, then HasOrgOrUserVisible is wrong

Use ctx.Doer instead of ctx.ContextUser 70b4b5b

@lunny lunny requested a review from wxiaoguang March 2, 2026 18:50
@wxiaoguang wxiaoguang dismissed their stale review March 2, 2026 19:12

dismiss

@GiteaBot GiteaBot added lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. and removed lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged labels Mar 2, 2026
wxiaoguang
wxiaoguang reviewed Mar 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@wxiaoguang wxiaoguang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the tests in tests/integration/api_user_org_perm_test.go can be merged into one PrepareTestEnv to avoid wasting CI time

@lunny
Copy link
Copy Markdown
Member Author

lunny commented Mar 2, 2026

tests/integration/api_user_org_perm_test.go

db98a51

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Mar 5, 2026
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Mar 5, 2026
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Mar 5, 2026
@lunny lunny merged commit 57b5ed3 into go-gitea:main Mar 6, 2026
26 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Mar 6, 2026
@lunny lunny deleted the lunny/fix_org_permission branch March 6, 2026 04:32
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Mar 6, 2026
@GiteaBot
Copy link
Copy Markdown
Collaborator

GiteaBot commented Mar 6, 2026

I was unable to create a backport for 1.25. @lunny, please send one manually. 🍵

go run ./contrib/backport 36798
...  // fix git conflicts if any
go run ./contrib/backport --continue

@GiteaBot GiteaBot added the backport/manual No power to the bots! Create your backport yourself! label Mar 6, 2026
lunny added a commit to lunny/gitea that referenced this pull request Mar 6, 2026
@lunny
Fix org permission API visibility checks for hidden members and priva…
1ef94e3 
…te orgs (go-gitea#36798)

- fix wrong parameter of HasOrgOrUserVisible in
routers/api/v1/org/org.go
- add integration tests covering the bug fix
- merge permissions API tests

---
Generated by a coding agent with Codex 5.2
@lunny lunny mentioned this pull request Mar 6, 2026
Merged
@lunny lunny added the backport/done All backports for this PR have been created label Mar 6, 2026
silverwind added a commit to silverwind/gitea that referenced this pull request Mar 6, 2026
@silverwind
Merge remote-tracking branch 'origin/main' into fixmerge
f626aa0 
* origin/main: (27 commits)
  Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797)
  Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798)
  Fix non-admins unable to automerge PRs from forks (go-gitea#36833)
  upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (go-gitea#36837)
  Fix dump release asset bug (go-gitea#36799)
  build(deps): update material-icon-theme v5.32.0 (go-gitea#36832)
  Fix bug to check whether user can update pull request branch or rebase branch (go-gitea#36465)
  Fix forwarded proto handling for public URL detection (go-gitea#36810)
  Fix artifacts v4 backend upload problems (go-gitea#36805)
  Add a git grep search timeout (go-gitea#36809)
  fix(repo): unify DEFAULT_SHOW_FULL_NAME output in templates and dropdown (go-gitea#36597)
  Harden render iframe open-link handling (go-gitea#36811)
  [skip ci] Updated translations via Crowdin
  fix: /repos/{owner}/{repo}/actions/{runs,jobs} requiring owner permissions (go-gitea#36818)
  Fix CRAN package version validation to allow more than 4 version components (go-gitea#36813)
  Fix API not persisting pull request unit config when has_pull_requests is not set (go-gitea#36718)
  feat: Add Actions API rerun endpoints for runs and jobs (go-gitea#36768)
  Fix bug when pushing mirror with wiki (go-gitea#36795)
  Pull Request Pusher should be the author of the merge (go-gitea#36581)
  Delete non-exist branch should return 404 (go-gitea#36694)
  ...

# Conflicts:
#	routers/web/repo/issue_view.go
silverwind added a commit to silverwind/gitea that referenced this pull request Mar 6, 2026
@silverwind
Merge branch 'main' into up
d623eae 
* main:
  Fix dbfs error handling (go-gitea#36844)
  Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797)
  Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798)
  Fix non-admins unable to automerge PRs from forks (go-gitea#36833)
  upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (go-gitea#36837)

# Conflicts:
#	go.mod
#	go.sum
lunny added a commit that referenced this pull request Mar 8, 2026
@lunny
Fix org permission API visibility checks for hidden members and priva…
96515c0 
…te orgs (#36798) (#36841)

backport #36798 

- fix wrong parameter of HasOrgOrUserVisible in
routers/api/v1/org/org.go
- add integration tests covering the bug fix
- merge permissions API tests

---
Generated by a coding agent with Codex 5.2
silverwind added a commit to silverwind/gitea that referenced this pull request Mar 8, 2026
@silverwind
Merge branch 'main' into cm
8df7e3f 
* main: (26 commits)
  Clean up `refreshViewedFilesSummary` (go-gitea#36868)
  Remove `util.URLJoin` and replace all callers with direct path concatenation (go-gitea#36867)
  Optimize Docker build with dependency layer caching (go-gitea#36864)
  Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861)
  Fix CodeQL code scanning alerts (go-gitea#36858)
  Refactor auth middleware (go-gitea#36848)
  Update Nix flake (go-gitea#36857)
  Update JS deps (go-gitea#36850)
  Load `mentionValues` asynchronously (go-gitea#36739)
  [skip ci] Updated translations via Crowdin
  Fix dbfs error handling (go-gitea#36844)
  Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797)
  Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798)
  Fix non-admins unable to automerge PRs from forks (go-gitea#36833)
  upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (go-gitea#36837)
  Fix dump release asset bug (go-gitea#36799)
  build(deps): update material-icon-theme v5.32.0 (go-gitea#36832)
  Fix bug to check whether user can update pull request branch or rebase branch (go-gitea#36465)
  Fix forwarded proto handling for public URL detection (go-gitea#36810)
  Fix artifacts v4 backend upload problems (go-gitea#36805)
  ...

# Conflicts:
#	pnpm-lock.yaml
zjjhot added a commit to zjjhot/gitea that referenced this pull request Mar 10, 2026
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
4deb62b 
* giteaofficial/main:
  Update minimum go version to 1.26.1, golangci-lint to 2.11.2, fix test style (go-gitea#36876)
  Add render cache for SVG icons (go-gitea#36863)
  Fix incorrect viewed files counter if reverted change was viewed (go-gitea#36819)
  [skip ci] Updated translations via Crowdin
  Clean up `refreshViewedFilesSummary` (go-gitea#36868)
  Remove `util.URLJoin` and replace all callers with direct path concatenation (go-gitea#36867)
  Optimize Docker build with dependency layer caching (go-gitea#36864)
  Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861)
  Fix CodeQL code scanning alerts (go-gitea#36858)
  Refactor auth middleware (go-gitea#36848)
  Update Nix flake (go-gitea#36857)
  Update JS deps (go-gitea#36850)
  Load `mentionValues` asynchronously (go-gitea#36739)
  [skip ci] Updated translations via Crowdin
  Fix dbfs error handling (go-gitea#36844)
  Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797)
  Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wxiaoguang wxiaoguang wxiaoguang left review comments

@silverwind silverwind silverwind approved these changes

@Zettat123 Zettat123 Zettat123 approved these changes

Assignees

No one assigned

Labels

backport/done All backports for this PR have been created backport/manual No power to the bots! Create your backport yourself! backport/v1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code type/bug

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

5 participants

@lunny @GiteaBot @silverwind @wxiaoguang @Zettat123