From a3e5231f5e06e4256685f4bca6a27dd46c38e9b0 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Thu, 17 Nov 2022 20:29:33 +0100 Subject: [PATCH] Do not allow Ghost access to limited visible user/org (#21849) The Ghost user should not be allowed to have access to a limited visible user/org. Co-authored-by: Lauris BH --- models/organization/org.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/models/organization/org.go b/models/organization/org.go index 0d4a5e337b626..6e70233bc38c2 100644 --- a/models/organization/org.go +++ b/models/organization/org.go @@ -448,8 +448,9 @@ func CountOrgs(opts FindOrgOptions) (int64, error) { // HasOrgOrUserVisible tells if the given user can see the given org or user func HasOrgOrUserVisible(ctx context.Context, orgOrUser, user *user_model.User) bool { - // Not SignedUser - if user == nil { + // If user is nil, it's an anonymous user/request. + // The Ghost user is handled like an anonymous user. + if user == nil || user.IsGhost() { return orgOrUser.Visibility == structs.VisibleTypePublic }