Ensure that feeds are appropriately restricted (#10018)

* Always limit results by what is accessible to the user * Change signature of AccessibleRepoIDsQuery * Ensure that user with ID <= 0 is handled * Update models/repo_list.go
2020-01-28 11:39:37 +00:00
parent 797e6f8f4c
commit 206a031b38
2 changed files with 6 additions and 5 deletions
--- a/models/action.go
+++ b/models/action.go
@ -312,8 +312,8 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
 		}

 		cond = cond.And(builder.In("repo_id", repoIDs))
-	} else if opts.Actor != nil {
-		cond = cond.And(builder.In("repo_id", opts.Actor.AccessibleRepoIDsQuery()))
+	} else {
+		cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.Actor)))
 	}

 	cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})