add checks to api & some tests

models/org_test.go

@@ -544,3 +544,72 @@ func TestAccessibleReposEnv_MirrorRepos(t *testing.T) {
 	testSuccess(2, []int64{5})
 	testSuccess(4, []int64{})
 }
+
+func TestHasOrgVisibleTypePublic(t *testing.T) {
+	assert.NoError(t, PrepareTestDatabase())
+	owner := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
+	user3 := AssertExistsAndLoadBean(t, &User{ID: 3}).(*User)
+
+	const newOrgName = "test-org-public"
+	org := &User{
+		Name: newOrgName,
+		Visibility: VisibleTypePublic,
+	}
+
+	AssertNotExistsBean(t, &User{Name: org.Name, Type: UserTypeOrganization})
+	assert.NoError(t, CreateOrganization(org, owner))
+	org = AssertExistsAndLoadBean(t,
+		&User{Name: org.Name, Type: UserTypeOrganization}).(*User)
+	test1 := HasOrgVisible([]*User{org}, owner)
+	test2 := HasOrgVisible([]*User{org}, user3)
+	test3 := HasOrgVisible([]*User{org}, nil)
+	assert.Equal(t, test1, true) // owner of org
+	assert.Equal(t, test2, true) // user not a part of org
+	assert.Equal(t, test3, true) // logged out user
+}
+
+func TestHasOrgVisibleTypeLimited(t *testing.T) {
+	assert.NoError(t, PrepareTestDatabase())
+	owner := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
+	user3 := AssertExistsAndLoadBean(t, &User{ID: 3}).(*User)
+
+	const newOrgName = "test-org-limited"
+	org := &User{
+		Name: newOrgName,
+		Visibility: VisibleTypeLimited,
+	}
+
+	AssertNotExistsBean(t, &User{Name: org.Name, Type: UserTypeOrganization})
+	assert.NoError(t, CreateOrganization(org, owner))
+	org = AssertExistsAndLoadBean(t,
+		&User{Name: org.Name, Type: UserTypeOrganization}).(*User)
+	test1 := HasOrgVisible([]*User{org}, owner)
+	test2 := HasOrgVisible([]*User{org}, user3)
+	test3 := HasOrgVisible([]*User{org}, nil)
+	assert.Equal(t, test1, true) // owner of org
+	assert.Equal(t, test2, true) // user not a part of org
+	assert.Equal(t, test3, false) // logged out user
+}
+
+func TestHasOrgVisibleTypePrivate(t *testing.T) {
+	assert.NoError(t, PrepareTestDatabase())
+	owner := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
+	user3 := AssertExistsAndLoadBean(t, &User{ID: 3}).(*User)
+
+	const newOrgName = "test-org-private"
+	org := &User{
+		Name: newOrgName,
+		Visibility: VisibleTypePrivate,
+	}
+
+	AssertNotExistsBean(t, &User{Name: org.Name, Type: UserTypeOrganization})
+	assert.NoError(t, CreateOrganization(org, owner))
+	org = AssertExistsAndLoadBean(t,
+		&User{Name: org.Name, Type: UserTypeOrganization}).(*User)
+	test1 := HasOrgVisible([]*User{org}, owner)
+	test2 := HasOrgVisible([]*User{org}, user3)
+	test3 := HasOrgVisible([]*User{org}, nil)
+	assert.Equal(t, test1, true) // owner of org
+	assert.Equal(t, test2, false) // user not a part of org
+	assert.Equal(t, test3, false) // logged out user
+}

routers/api/v1/org/org.go

@@ -78,6 +78,11 @@ func Get(ctx *context.APIContext) {
 	// responses:
 	//   "200":
 	//     "$ref": "#/responses/Organization"
+	canSeeOrg := models.HasOrgVisible([]*models.User{ctx.Org}, ctx.User)
+	if !canSeeOrg {
+		ctx.NotFound("HasOrgVisible", nil)
+		return
+	}
 	ctx.JSON(200, convert.ToOrganization(ctx.Org.Organization))
 }
 

routers/api/v1/repo/repo.go

@@ -257,6 +257,12 @@ func CreateOrgRepo(ctx *context.APIContext, opt api.CreateRepoOption) {
 		return
 	}
 
+	canSeeOrg := models.HasOrgVisible([]*models.User{org}, ctx.User)
+	if !canSeeOrg {
+		ctx.NotFound("HasOrgVisible", nil)
+		return
+	}
+
 	if !ctx.User.IsAdmin {
 		isOwner, err := org.IsOwnedBy(ctx.User.ID)
 		if err != nil {