[v11.0/forgejo] fix: only redirect to a new owner (organization or user) if the user has permissions to view the new owner (#9089)

**Backport: https://codeberg.org/forgejo/forgejo/pulls/9072** Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9089
2025-10-05 19:30:58 +00:00 · 2025-08-30 18:52:43 +02:00 · 2025-08-30 18:52:43 +02:00 · a040ef4b0d
commit a040ef4b0d
parent 3de4b351a2
18 changed files with 252 additions and 67 deletions
--- a/services/user/user_test.go
+++ b/services/user/user_test.go
@ -22,6 +22,7 @@ import (
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/test"
 	"forgejo.org/modules/timeutil"
+	redirect_service "forgejo.org/services/redirect"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@ -187,7 +188,7 @@ func TestRenameUser(t *testing.T) {
 		require.NoError(t, RenameUser(db.DefaultContext, user, newUsername))
 		unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: user.ID, Name: newUsername, LowerName: strings.ToLower(newUsername)})

-		redirectUID, err := user_model.LookupUserRedirect(db.DefaultContext, oldUsername)
+		redirectUID, err := redirect_service.LookupUserRedirect(db.DefaultContext, user, oldUsername)
 		require.NoError(t, err)
 		assert.EqualValues(t, user.ID, redirectUID)