Gitea: Public repositories within private org are not visible to members

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

@proton-ab does this still be the case on 1.11.4 or master?

@6543 yes, as a member of team that has access to certain private repositories within organization I still can not see the public repositories in that organization. I can access them directly but otherwise they are hidden.

The issue seems to be present in SearchRepositoryCondition, specifically in condition that handles if opts.OwnerID > 0. Repository will be visible here only if:

1. We are collaborators - but we are not in this case (either directly or by being in a team that has explicit access to such repository)
2. It's public and AllPublic is true - but the organization is not public
3. It's limited and AllLimited is true - but the organization is not limited

As you can see, all 3 cases are false, hence the repository is never shown.

Can you reproduce on try? I can't seem to reproduce this.

The screenshots included are from try, I can't really link you because org has to be private.

The reproduction steps however are as follow:

• Create user A
• Create user B
• As user A create organization C
• Mark organization C as private
• In organization C create private repository D
• In organization C create public repository E
• In organization C create team F with write access
• In team F in organization C, add repository D to access list
• In organization C, add user B to team C
• Confirm both repositories D and E are visible
• Login as user B, confirm repository D is visible but E is not
• Manually navigate to URL where repository E should be, confirm it opens

It's weird because I literally just did those steps on master and on try and did not have this problem...

The two users are [email protected] and [email protected] their passwords are their email addresses as they predate the (imho unnecessary) password rules. The private org is arprivateOrg.

Arandomer is the owner, tester_mailinator is the user.

You have added the ArPublic repository as accessible to a team 'writers' which [email protected] is part of, hence they can write to it. The bug describes situation where user is member of a team that does not have explicit access to public repository via team. I have now corrected the mistake, please check now.

Maybe we should reopen it, the mentioned PR does not fix issue entirely; explore page is still missing public repo but shows private one.

Also unsure if dashboard should show such repo or not; currently it does not since user is not contributor, but maybe being member of organization should trump that requirement for public repos?

yeah I don't think that I have solved this!

If an organization is private and public repositories are shown this also shows the (existence of the) organization, no? So what would the benefit be to have a private organization?

The reason I am asking this is: I created a private organization ("visible only to organization members") and somehow expected all repos to be invisible/private, however, I was able to clone it as an anonymous user.

@mschoettle that sounds like another bug - could you open another issue please

@mschoettle Public repositories within private organization are visible to all members of said organization. I can not reproduce your report (ability to clone public repositories of private organization by either anonymous user or user without access to organization)

@CirnoT I just tried it on https://try.gitea.io and could reproduce it.

I opened another issue: #11651