[v12.0/forgejo] fix: only redirect to a new owner (organization or user) if the user has permissions to view the new owner (#9091)

**Backport: https://codeberg.org/forgejo/forgejo/pulls/9072** Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9091
2025-10-05 19:30:58 +00:00 · 2025-08-30 18:42:11 +02:00 · 2025-08-30 18:42:11 +02:00 · 5538ab29e3
commit 5538ab29e3
parent 6636550157
18 changed files with 252 additions and 67 deletions
--- a/services/context/repo.go
+++ b/services/context/repo.go
@ -35,6 +35,7 @@ import (
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/util"
 	asymkey_service "forgejo.org/services/asymkey"
+	redirect_service "forgejo.org/services/redirect"

 	"github.com/editorconfig/editorconfig-core-go/v2"
 )
@ -477,12 +478,12 @@ func RepoAssignment(ctx *Context) context.CancelFunc {
 					return nil
 				}

-				if redirectUserID, err := user_model.LookupUserRedirect(ctx, userName); err == nil {
+				if redirectUserID, err := redirect_service.LookupUserRedirect(ctx, ctx.Doer, userName); err == nil {
 					RedirectToUser(ctx.Base, userName, redirectUserID)
 				} else if user_model.IsErrUserRedirectNotExist(err) {
 					ctx.NotFound("GetUserByName", nil)
 				} else {
-					ctx.ServerError("LookupUserRedirect", err)
+					ctx.ServerError("LookupRedirect", err)
 				}
 			} else {
 				ctx.ServerError("GetUserByName", err)
@ -519,7 +520,7 @@ func RepoAssignment(ctx *Context) context.CancelFunc {
 	repo, err := repo_model.GetRepositoryByName(ctx, owner.ID, repoName)
 	if err != nil {
 		if repo_model.IsErrRepoNotExist(err) {
-			redirectRepoID, err := repo_model.LookupRedirect(ctx, owner.ID, repoName)
+			redirectRepoID, err := redirect_service.LookupRepoRedirect(ctx, ctx.Doer, owner.ID, repoName)
 			if err == nil {
 				RedirectToRepo(ctx.Base, redirectRepoID)
 			} else if repo_model.IsErrRedirectNotExist(err) {