[v11.0/forgejo] fix: only redirect to a new owner (organization or user) if the user has permissions to view the new owner (#9089)

**Backport: https://codeberg.org/forgejo/forgejo/pulls/9072** Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9089
2025-10-10 19:32:02 +00:00 · 2025-08-30 18:52:43 +02:00 · 2025-08-30 18:52:43 +02:00 · a040ef4b0d
commit a040ef4b0d
parent 3de4b351a2
18 changed files with 252 additions and 67 deletions
--- a/services/redirect/user.go
+++ b/services/redirect/user.go
@ -0,0 +1,30 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+package redirect
+
+import (
+	"context"
+
+	user_model "forgejo.org/models/user"
+)
+
+// LookupUserRedirect returns the userID if there's a redirect registered for the
+// username. It additionally checks if the doer has permission to view the new
+// user.
+func LookupUserRedirect(ctx context.Context, doer *user_model.User, userName string) (int64, error) {
+	redirect, err := user_model.GetUserRedirect(ctx, userName)
+	if err != nil {
+		return 0, err
+	}
+
+	redirectUser, err := user_model.GetUserByID(ctx, redirect.RedirectUserID)
+	if err != nil {
+		return 0, err
+	}
+
+	if !user_model.IsUserVisibleToViewer(ctx, redirectUser, doer) {
+		return 0, user_model.ErrUserRedirectNotExist{Name: userName, MissingPermission: true}
+	}
+
+	return redirect.RedirectUserID, nil
+}