Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Show private user if this user follows the current user #28024

Open
wants to merge 9 commits into
base: main
Choose a base branch
from

Conversation

6543
Copy link
Member

@6543 6543 commented Nov 13, 2023

e.g. the explore page did hide private users witch should be visible to the current user


Sponsored by Kithara Software GmbH

@6543 6543 added the type/bug label Nov 13, 2023
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 13, 2023
@pull-request-size pull-request-size bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Nov 13, 2023
@6543 6543 added backport/v1.20 This PR should be backported to Gitea 1.20 backport/v1.21 This PR should be backported to Gitea 1.21 labels Nov 13, 2023
@yp05327
Copy link
Contributor

yp05327 commented Nov 14, 2023

I can't image the use case of this change, and I don't think this is a bug. Can your provide more details about this change?
And if current user can see the private user, then can he/she see or access the private user's repos or other things?

@6543
Copy link
Member Author

6543 commented Nov 14, 2023

that's quit intentional, it's a feature to allow-list users if you make yourselfe private.
If that's to less granular, we need a new lookup table just for that. (witch would be an enhancement pull)

this is a bug as it works for single user permission checks but not for user search querys.

see:

func IsUserVisibleToViewer(ctx context.Context, u, viewer *User) bool {

gitea/models/user/user.go

Lines 1248 to 1252 in 5380fd5

// If they follow - they see each over
follower := IsFollowing(ctx, u.ID, viewer.ID)
if follower {
return true
}

ps: if we split this feature out we would also add block condition to the follow feature as you should only follow users who can also see you

@yp05327
Copy link
Contributor

yp05327 commented Nov 14, 2023

Not completely understand yet, but I found another bug 🤔
Doer is following TestUser but the following count is 0
image

Will be fixed in #28037

@yp05327
Copy link
Contributor

yp05327 commented Nov 14, 2023

I understood what you said.

But I doubt the origin logic you mentioned in IsUserVisibleToViewer which comes from #16069.
This causes many problems now:

  • current user can get the repo list of the private user, but current user have no access permission to these repos
  • user's package page will return 404
  • we do not have private project now, so user's individual projects and the issues in these projects will be displayed
    For example:
    image
  • started repositories also have bugs
    image

I just want to follow user A, but because of the following, user A can see my private repos, projects, and issues which seems strange.
IMO, the correct logic is that at least they are following each other, they can get these private information.
And also we need to check the permission check logic in other places mentioned above.

@6543
Copy link
Member Author

6543 commented Nov 14, 2023

a user cant follow a private user ...
... the only solution is as proposed to make an extra lookup table

@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Mar 16, 2024
@lunny
Copy link
Member

lunny commented Apr 9, 2024

I think we need some discussion and decision about whether one should be viewed by the user he followed.

@lunny lunny removed backport/v1.20 This PR should be backported to Gitea 1.20 backport/v1.21 This PR should be backported to Gitea 1.21 labels Dec 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/go Pull requests that update Go code size/M Denotes a PR that changes 30-99 lines, ignoring generated files. type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants