[v12.0/forgejo] fix: only redirect to a new owner (organization or user) if the user has permissions to view the new owner (#9091)

**Backport: https://codeberg.org/forgejo/forgejo/pulls/9072** Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9091
2025-10-05 19:30:58 +00:00 · 2025-08-30 18:42:11 +02:00 · 2025-08-30 18:42:11 +02:00 · 5538ab29e3
commit 5538ab29e3
parent 6636550157
18 changed files with 252 additions and 67 deletions
--- a/services/context/user.go
+++ b/services/context/user.go
@ -9,6 +9,7 @@ import (
 	"strings"

 	user_model "forgejo.org/models/user"
+	redirect_service "forgejo.org/services/redirect"
 )

 // UserAssignmentWeb returns a middleware to handle context-user assignment for web routes
@ -68,12 +69,12 @@ func userAssignment(ctx *Base, doer *user_model.User, errCb func(int, string, an
 		contextUser, err = user_model.GetUserByName(ctx, username)
 		if err != nil {
 			if user_model.IsErrUserNotExist(err) {
-				if redirectUserID, err := user_model.LookupUserRedirect(ctx, username); err == nil {
+				if redirectUserID, err := redirect_service.LookupUserRedirect(ctx, doer, username); err == nil {
 					RedirectToUser(ctx, username, redirectUserID)
 				} else if user_model.IsErrUserRedirectNotExist(err) {
 					errCb(http.StatusNotFound, "GetUserByName", err)
 				} else {
-					errCb(http.StatusInternalServerError, "LookupUserRedirect", err)
+					errCb(http.StatusInternalServerError, "LookupRedirect", err)
 				}
 			} else {
 				errCb(http.StatusInternalServerError, "GetUserByName", err)