Do some missing checks (#28423)

(cherry picked from commit 717d0f5934) Conflicts: routers/api/v1/api.go trivial contextual conflict
2025-08-11 17:50:57 +00:00 · 2023-12-12 13:01:17 +08:00 · 2023-12-12 13:01:17 +08:00 · 7aa1e1a54d
commit 7aa1e1a54d
parent 5528072d04
3 changed files with 62 additions and 3 deletions
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -693,6 +693,24 @@ func buildAuthGroup() *auth.Group {
 	return group
 }

+func individualPermsChecker(ctx *context.APIContext) {
+	// org permissions have been checked in context.OrgAssignment(), but individual permissions haven't been checked.
+	if ctx.ContextUser.IsIndividual() {
+		switch {
+		case ctx.ContextUser.Visibility == api.VisibleTypePrivate:
+			if ctx.Doer == nil || (ctx.ContextUser.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin) {
+				ctx.NotFound("Visit Project", nil)
+				return
+			}
+		case ctx.ContextUser.Visibility == api.VisibleTypeLimited:
+			if ctx.Doer == nil {
+				ctx.NotFound("Visit Project", nil)
+				return
+			}
+		}
+	}
+}
+
 // Routes registers all v1 APIs routes to web application.
 func Routes(ctx gocontext.Context) *web.Route {
 	m := web.NewRoute()
@ -798,7 +816,7 @@ func Routes(ctx gocontext.Context) *web.Route {
 				}, reqBasicAuth())

 				m.Get("/activities/feeds", user.ListUserActivityFeeds)
-			}, context_service.UserAssignmentAPI())
+			}, context_service.UserAssignmentAPI(), individualPermsChecker)
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser))

 		// Users (requires user scope)