[v11.0/forgejo] fix: only redirect to a new owner (organization or user) if the user has permissions to view the new owner (#9089)

**Backport: https://codeberg.org/forgejo/forgejo/pulls/9072** Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9089
2025-10-15 19:42:04 +00:00 · 2025-08-30 18:52:43 +02:00 · 2025-08-30 18:52:43 +02:00 · a040ef4b0d
commit a040ef4b0d
parent 3de4b351a2
18 changed files with 252 additions and 67 deletions
--- a/routers/api/v1/user/helper.go
+++ b/routers/api/v1/user/helper.go
@ -8,6 +8,7 @@ import (

 	user_model "forgejo.org/models/user"
 	"forgejo.org/services/context"
+	redirect_service "forgejo.org/services/redirect"
 )

 // GetUserByParamsName get user by name
@ -16,7 +17,7 @@ func GetUserByParamsName(ctx *context.APIContext, name string) *user_model.User
 	user, err := user_model.GetUserByName(ctx, username)
 	if err != nil {
 		if user_model.IsErrUserNotExist(err) {
-			if redirectUserID, err2 := user_model.LookupUserRedirect(ctx, username); err2 == nil {
+			if redirectUserID, err2 := redirect_service.LookupUserRedirect(ctx, ctx.Doer, username); err2 == nil {
 				context.RedirectToUser(ctx.Base, username, redirectUserID)
 			} else {
 				ctx.NotFound("GetUserByName", err)