Allow all members of private orgs to see public repos (#11442) (#11459)

* Allow all members of private orgs to see public repos (#11442)

Backport (#11442)

Allow all members of private orgs to see public repos

Fix #10144

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update models/repo_list.go

* Oops missed the repos we own!

Signed-off-by: Andrew Thornton <art27@cantab.net>

models/repo_list.go

@@ -340,41 +340,39 @@ func SearchRepositoryByCondition(opts *SearchRepoOptions, cond builder.Cond) (Re
 // accessibleRepositoryCondition takes a user a returns a condition for checking if a repository is accessible
 func accessibleRepositoryCondition(userID int64) builder.Cond {
 	if userID <= 0 {
+		// Public repositories that are not in private or limited organizations
 		return builder.And(
 			builder.Eq{"`repository`.is_private": false},
-			builder.Or(
+			builder.NotIn("`repository`.owner_id",
-				//   A. Aren't in organisations  __OR__
+				builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization}).And(builder.Neq{"visibility": structs.VisibleTypePublic})))
-				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
-				//   B. Is a public organisation.
-				builder.In("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"visibility": structs.VisibleTypePublic}))),
-		)
 	}
 
 	return builder.Or(
-		// 1. Be able to see all non-private repositories that either:
+		// 1. All public repositories that are not in private organizations
 		builder.And(
 			builder.Eq{"`repository`.is_private": false},
-			builder.Or(
+			builder.NotIn("`repository`.owner_id",
-				//   A. Aren't in organisations  __OR__
+				builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization}).And(builder.Eq{"visibility": structs.VisibleTypePrivate}))),
-				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"type": UserTypeOrganization})),
+		// 2. Be able to see all repositories that we own
-				//   B. Isn't a private organisation. (Limited is OK because we're logged in)
+		builder.Eq{"`repository`.owner_id": userID},
-				builder.NotIn("`repository`.owner_id", builder.Select("id").From("`user`").Where(builder.Eq{"visibility": structs.VisibleTypePrivate}))),
+		// 3. Be able to see all repositories that we have access to
-		),
+		builder.In("`repository`.id", builder.Select("repo_id").
-		// 2. Be able to see all repositories that we have access to
+			From("`access`").
-		builder.Or(
+			Where(builder.And(
-			builder.In("`repository`.id", builder.Select("repo_id").
+				builder.Eq{"user_id": userID},
-				From("`access`").
+				builder.Gt{"mode": int(AccessModeNone)}))),
-				Where(builder.And(
+		// 4. Be able to see all repositories that we are in a team
-					builder.Eq{"user_id": userID},
-					builder.Gt{"mode": int(AccessModeNone)}))),
-			builder.In("`repository`.id", builder.Select("id").
-				From("`repository`").
-				Where(builder.Eq{"owner_id": userID}))),
-		// 3. Be able to see all repositories that we are in a team
 		builder.In("`repository`.id", builder.Select("`team_repo`.repo_id").
 			From("team_repo").
 			Where(builder.Eq{"`team_user`.uid": userID}).
-			Join("INNER", "team_user", "`team_user`.team_id = `team_repo`.team_id")))
+			Join("INNER", "team_user", "`team_user`.team_id = `team_repo`.team_id")),
+		// 5. Be able to see all public repos in private organizations that we are an org_user of
+		builder.And(builder.Eq{"`repository`.is_private": false},
+			builder.In("`repository`.owner_id",
+				builder.Select("`org_user`.org_id").
+					From("org_user").
+					Where(builder.Eq{"`org_user`.uid": userID}))),
+	)
 }
 
 // SearchRepositoryByName takes keyword and part of repository name to search,