For users and organizations check if they exits and the reporter can view them.

2025-03-14 15:52:43 +00:00 · 2025-03-07 12:25:09 +02:00 · 2025-03-07 12:25:09 +02:00 · 570794e68e
commit 570794e68e
parent 35970a1c0e
1 changed files with 62 additions and 49 deletions
--- a/services/moderation/reporting.go
+++ b/services/moderation/reporting.go
@ -26,74 +26,87 @@ var (
 // When reporting repositories the user should have at least read access to any repo unit type.
 // When reporting issues, pull requests or comments the user should have at least read access
 // to 'TypeIssues', respectively 'TypePullRequests' unit for the repository where the content belongs.
-// When reporting users or organizations no checks are made.
+// When reporting users or organizations doer should be able to view the reported user.
 func CanReport(ctx context.Context, doer *user.User, contentType moderation.ReportedContentType, contentID int64) (bool, error) {
 	var hasAccess bool = false
 	var issueID int64 = 0
 	var repoID int64 = 0
 	var unitType unit.Type = unit.TypeInvalid

-	if contentType == moderation.ReportedContentTypeComment {
-		comment, err := issues.GetCommentByID(ctx, contentID)
+	if contentType == moderation.ReportedContentTypeUser {
+		reported_user, err := user.GetUserByID(ctx, contentID)
 		if err != nil {
-			if issues.IsErrCommentNotExist(err) {
-				log.Warn("User #%d wanted to report comment #%d but it does not exist.", doer.ID, contentID)
-				return false, ErrContentDoesNotExist
-			}
-			return false, err
-		}
-		issueID = comment.IssueID
-	} else if contentType == moderation.ReportedContentTypeIssue {
-		issueID = contentID
-	} else if contentType == moderation.ReportedContentTypeRepository {
-		repoID = contentID
-	}
-
-	if issueID > 0 {
-		issue, err := issues.GetIssueByID(ctx, issueID)
-		if err != nil {
-			if issues.IsErrIssueNotExist(err) {
-				log.Warn("User #%d wanted to report issue #%d (or one of its comments) but it does not exist.", doer.ID, issueID)
+			if user.IsErrUserNotExist(err) {
+				log.Warn("User #%d wanted to report user #%d but it does not exist.", doer.ID, contentID)
 				return false, ErrContentDoesNotExist
 			}
 			return false, err
 		}

-		repoID = issue.RepoID
-		if issue.IsPull {
-			unitType = unit.TypePullRequests
-		} else {
-			unitType = unit.TypeIssues
-		}
-	}
-
-	if repoID > 0 {
-		repo, err := repo_model.GetRepositoryByID(ctx, repoID)
-		if err != nil {
-			if repo_model.IsErrRepoNotExist(err) {
-				log.Warn("User #%d wanted to report repository #%d (or one of its issues / comments) but it does not exist.", doer.ID, repoID)
-				return false, ErrContentDoesNotExist
+		hasAccess = user.IsUserVisibleToViewer(ctx, reported_user, ctx.Doer)
+	} else {
+		if contentType == moderation.ReportedContentTypeComment {
+			comment, err := issues.GetCommentByID(ctx, contentID)
+			if err != nil {
+				if issues.IsErrCommentNotExist(err) {
+					log.Warn("User #%d wanted to report comment #%d but it does not exist.", doer.ID, contentID)
+					return false, ErrContentDoesNotExist
+				}
+				return false, err
 			}
-			return false, err
+			issueID = comment.IssueID
+		} else if contentType == moderation.ReportedContentTypeIssue {
+			issueID = contentID
+		} else if contentType == moderation.ReportedContentTypeRepository {
+			repoID = contentID
 		}

 		if issueID > 0 {
-			hasAccess, err = access_model.HasAccessUnit(ctx, doer, repo, unitType, perm.AccessModeRead)
-			if err != nil {
-				return false, err
-			} else if !hasAccess {
-				log.Warn("User #%d wanted to report issue #%d or one of its comments from repository #%d but they don't have access to it.", doer.ID, issueID, repoID)
-				return false, ErrDoerNotAllowed
-			}
-		} else {
-			perm, err := access_model.GetUserRepoPermission(ctx, repo, doer)
+			issue, err := issues.GetIssueByID(ctx, issueID)
 			if err != nil {
+				if issues.IsErrIssueNotExist(err) {
+					log.Warn("User #%d wanted to report issue #%d (or one of its comments) but it does not exist.", doer.ID, issueID)
+					return false, ErrContentDoesNotExist
+				}
 				return false, err
 			}
-			hasAccess = perm.CanReadAny(unit.AllRepoUnitTypes...)
-			if !hasAccess {
-				log.Warn("User #%d wanted to report repository #%d but they don't have access to it.", doer.ID, repoID)
-				return false, ErrDoerNotAllowed
+
+			repoID = issue.RepoID
+			if issue.IsPull {
+				unitType = unit.TypePullRequests
+			} else {
+				unitType = unit.TypeIssues
+			}
+		}
+
+		if repoID > 0 {
+			repo, err := repo_model.GetRepositoryByID(ctx, repoID)
+			if err != nil {
+				if repo_model.IsErrRepoNotExist(err) {
+					log.Warn("User #%d wanted to report repository #%d (or one of its issues / comments) but it does not exist.", doer.ID, repoID)
+					return false, ErrContentDoesNotExist
+				}
+				return false, err
+			}
+
+			if issueID > 0 {
+				hasAccess, err = access_model.HasAccessUnit(ctx, doer, repo, unitType, perm.AccessModeRead)
+				if err != nil {
+					return false, err
+				} else if !hasAccess {
+					log.Warn("User #%d wanted to report issue #%d or one of its comments from repository #%d but they don't have access to it.", doer.ID, issueID, repoID)
+					return false, ErrDoerNotAllowed
+				}
+			} else {
+				perm, err := access_model.GetUserRepoPermission(ctx, repo, doer)
+				if err != nil {
+					return false, err
+				}
+				hasAccess = perm.CanReadAny(unit.AllRepoUnitTypes...)
+				if !hasAccess {
+					log.Warn("User #%d wanted to report repository #%d but they don't have access to it.", doer.ID, repoID)
+					return false, ErrDoerNotAllowed
+				}
 			}
 		}
 	}