Public repositories within private org are not visible to members

[proton-ab]

• Gitea version (or commit ref): 1.10.3 / 1.12.0+dev-251-gd4096ab6a
• Git version: Not relevant
• Operating system: Not relevant
• Database:
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist: Not relevant

Description

When repository, within an organization which has visibility set to Private, is set as public and user is part of a team that has no access specified to this repository, repository can be accessed via direct URI but can not be viewed on any list within UI.

I would expect that setting repository as public within Private organization would allow members of all teams to view it, regardless of team's permissions and team's repositories (for example I might want to make repository visible but read-only to all members of organization, while certain teams can write to different repositories).

This does not apply when organization is set as Limited. In such a case, repository is properly visible (to both members of organization as well as outside users).

Owners of org can of course see all repositories just fine.

Screenshots

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

[6543]

@proton-ab does this still be the case on 1.11.4 or master?

[proton-ab]

@6543 yes, as a member of team that has access to certain private repositories within organization I still can not see the public repositories in that organization. I can access them directly but otherwise they are hidden.

[proton-ab]

The issue seems to be present in SearchRepositoryCondition, specifically in condition that handles if opts.OwnerID > 0. Repository will be visible here only if:

1. We are collaborators - but we are not in this case (either directly or by being in a team that has explicit access to such repository)
2. It's public and AllPublic is true - but the organization is not public
3. It's limited and AllLimited is true - but the organization is not limited

As you can see, all 3 cases are false, hence the repository is never shown.

[zeripath]

Can you reproduce on try? I can't seem to reproduce this.

[proton-ab]

The screenshots included are from try, I can't really link you because org has to be private.

[proton-ab]

The reproduction steps however are as follow:

• Create user A
• Create user B
• As user A create organization C
• Mark organization C as private
• In organization C create private repository D
• In organization C create public repository E
• In organization C create team F with write access
• In team F in organization C, add repository D to access list
• In organization C, add user B to team C
• Confirm both repositories D and E are visible
• Login as user B, confirm repository D is visible but E is not
• Manually navigate to URL where repository E should be, confirm it opens

[zeripath]

It's weird because I literally just did those steps on master and on try and did not have this problem...

The two users are arandomer@mailinator.com and tester@mailinator.com their passwords are their email addresses as they predate the (imho unnecessary) password rules. The private org is arprivateOrg.

Arandomer is the owner, tester_mailinator is the user.

[proton-ab]

You have added the ArPublic repository as accessible to a team 'writers' which tester@mailinator.com is part of, hence they can write to it. The bug describes situation where user is member of a team that does not have explicit access to public repository via team. I have now corrected the mistake, please check now.

[CirnoT]

Maybe we should reopen it, the mentioned PR does not fix issue entirely; explore page is still missing public repo but shows private one.

Also unsure if dashboard should show such repo or not; currently it does not since user is not contributor, but maybe being member of organization should trump that requirement for public repos?

[zeripath]

yeah I don't think that I have solved this!

[mschoettle]

If an organization is private and public repositories are shown this also shows the (existence of the) organization, no? So what would the benefit be to have a private organization?

The reason I am asking this is: I created a private organization ("visible only to organization members") and somehow expected all repos to be invisible/private, however, I was able to clone it as an anonymous user.

[zeripath]

@mschoettle that sounds like another bug - could you open another issue please

[CirnoT]

@mschoettle Public repositories within private organization are visible to all members of said organization. I can not reproduce your report (ability to clone public repositories of private organization by either anonymous user or user without access to organization)

[mschoettle]

@CirnoT I just tried it on https://try.gitea.io and could reproduce it.

I opened another issue: #11651