Gitea: Gitea code search ignores user permissions

Created on 5 Sep 2019 · 6Comments · Source: go-gitea/gitea

Gitea version (or commit ref): 1.10.0+dev-245-gc027eac1d
Git version: 2.22.0
Operating system: Alpine Linux v3.10
Database (use [x]):
- [ ] PostgreSQL
- [ ] MySQL
- [ ] MSSQL
- [x] SQLite
Can you reproduce the bug at https://try.gitea.io:
- [ ] Yes (provide example URL)
- [ ] No
- [x] Not relevant
Log gist:

Description

Gitea code search works across all repositories regardless of user permissions (reproduced even if the user is not logged in)

Screenshots

Screenshot 2019-09-05 at 13 10 23

kinbug stale

Source

DNAlchemist

Most helpful comment

@guillep2k I think the problem is when you changed some repository from public to private or removed some user's permissions of some repositories. the indexer may not be updated.

@lunny Whether or not the indexer is updated should not affect this. The indexer processes all repositories, no matter their status. The search function however filters by permissions at the moment of the user action, so I don't see how the results list could be outdated:

https://github.com/go-gitea/gitea/blob/c03d75fbd51174d0e7ffdbaf9e9e253438d06cf7/routers/home.go#L303-L309

guillep2k on 6 Sep 2019

👍2

All 6 comments

I'll give this a look.

guillep2k on 5 Sep 2019

👍2

@DNAlchemist I'm unable to reproduce, neither with my prod version (1.9.2) or the latest master (79c8bc0e51db9ef1579b72d0510cac9aaded06db).

Isn't it possible that you have some misbehaving caching entity in between (e.g. a proxy)?

My test workflow was:

With an admin user:

I navigated to http://__my_server__/explore/code
Enter a search term I knew would bring results (e.g. watermelon).
A list of matches shows up. As the user is admin, I've get matches from all repositories that have watermelon in a file. Most of them are marked as private.
Clicked on any repository link or [View File] button from the results; they all work as expected.

Then I've created a testuser user, no special permissions, no teams. I've logged in and:

I navigated to http://__my_server__/explore/code
Entered watermelon as a search term.
I've only got results from repositories not marked as private.
Clicked on any repository link or [View File] button from the results; they all work as expected.

Finally, I've logged off, set REQUIRE_SIGNIN_VIEW=off (my normal setting is on) and:

I navigated to http://__my_server__/explore/code
Entered watermelon as a search term.
I've only got results from repositories not marked as private.
Clicked on any repository link or [View File] button from the results; they all work as expected.

guillep2k on 6 Sep 2019

@guillep2k I think the problem is when you changed some repository from public to private or removed some user's permissions of some repositories. the indexer may not be updated.

lunny on 6 Sep 2019

@guillep2k I think the problem is when you changed some repository from public to private or removed some user's permissions of some repositories. the indexer may not be updated.

https://github.com/go-gitea/gitea/blob/c03d75fbd51174d0e7ffdbaf9e9e253438d06cf7/routers/home.go#L303-L309

guillep2k on 6 Sep 2019

👍2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.