lunny · 6543 · Jun 20, 2021 · Jun 15, 2021 · Jun 15, 2021 · Jun 15, 2021
diff --git a/models/org.go b/models/org.go
@@ -427,22 +427,47 @@ func GetUserOrgsList(uid int64) ([]*MinimalOrg, error) {
 // FindOrgOptions finds orgs options
 type FindOrgOptions struct {
 	ListOptions
-	UserID         int64
-	IncludePrivate bool
+	Actor  *User
+	UserID int64
+}
+
+// queryOrgMembershipVisibleOrgIDs return query to only get org's of user who user is part of in public
+func queryOrgMembershipVisibleOrgIDs(actor *User) *builder.Builder {
+	if actor == nil {
+		return builder.Select("org_user.org_id").From("org_user").Where(builder.Eq{"org_user.is_public": true})
+	}
+	if actor.IsAdmin {
+		return builder.Select("org_user.org_id").From("org_user")
+	}
+	return builder.Select("org_user.org_id").From("org_user").Where(builder.Eq{"org_user.is_public": true}).Or(builder.Eq{"org_user.uid": actor.ID})
 }
 
 func (opts FindOrgOptions) toConds() builder.Cond {
 	var cond = builder.NewCond()
+
+	// filter by user id
 	if opts.UserID > 0 {
-		cond = cond.And(builder.In("`user`.`id`", queryUserOrgIDs(opts.UserID)))
-	}
-	if !opts.IncludePrivate {
-		cond = cond.And(builder.Eq{"`user`.visibility": structs.VisibleTypePublic})
+		cond = cond.And(builder.In("`user`.`id`",
+			builder.Select("org_user.org_id").
+				From("org_user").
+				Where(builder.Eq{"org_user.uid": opts.UserID})))
+	}
+
+	// make sure user set membership visible
+	cond = cond.And(builder.In("`user`.`id`", queryOrgMembershipVisibleOrgIDs(opts.Actor)))
+
+	// return only org's actor is allowed to see
+	if opts.Actor != nil {
+		if !opts.Actor.IsAdmin {
+			cond = cond.And(builder.In("`user`.visibility", structs.VisibleTypePublic, structs.VisibleTypeLimited).Or(builder.In("`user`.`id`",
+				builder.Select("org_user.org_id").
+					From("org_user").
+					Where(builder.Eq{"org_user.uid": opts.Actor.ID}))))
+		}
 	} else {
-		cond = cond.And(builder.Eq{"`user`.visibility": structs.VisibleTypePrivate}.Or(
-			builder.Eq{"`user`.visibility": structs.VisibleTypeLimited},
-		))
+		cond = cond.And(builder.Eq{"`user`.visibility": structs.VisibleTypePublic})
 	}
+
 	return cond
 }
 
@@ -460,9 +485,7 @@ func FindOrgs(opts FindOrgOptions) ([]*User, error) {
 
 // CountOrgs returns total count organizations according options
 func CountOrgs(opts FindOrgOptions) (int64, error) {
-	return x.Join("INNER", "`org_user`", "`org_user`.org_id=`user`.id").
-		Where(opts.toConds()).
-		Count(new(User))
+	return x.Where(opts.toConds()).Count(new(User))
 }
 
 func getOwnedOrgsByUserID(sess *xorm.Session, userID int64) ([]*User, error) {

diff --git a/models/org_test.go b/models/org_test.go
@@ -325,27 +325,30 @@ func TestFindOrgs(t *testing.T) {
 	assert.NoError(t, PrepareTestDatabase())
 
 	orgs, err := FindOrgs(FindOrgOptions{
-		UserID:         4,
-		IncludePrivate: true,
+		UserID: 4,
+		Actor:  &User{ID: 4},
 	})
 	assert.NoError(t, err)
 	if assert.Len(t, orgs, 1) {
 		assert.EqualValues(t, 3, orgs[0].ID)
 	}
+	total, err := CountOrgs(FindOrgOptions{
+		UserID: 4,
+		Actor:  &User{ID: 4},
+	})
+	assert.NoError(t, err)
+	assert.EqualValues(t, 1, total)
 
 	orgs, err = FindOrgs(FindOrgOptions{
-		UserID:         4,
-		IncludePrivate: false,
+		UserID: 4,
 	})
 	assert.NoError(t, err)
 	assert.EqualValues(t, 0, len(orgs))
-
-	total, err := CountOrgs(FindOrgOptions{
-		UserID:         4,
-		IncludePrivate: true,
+	total, err = CountOrgs(FindOrgOptions{
+		UserID: 4,
 	})
 	assert.NoError(t, err)
-	assert.EqualValues(t, 1, total)
+	assert.EqualValues(t, 0, total)
 }
 
 func TestGetOwnedOrgsByUserID(t *testing.T) {

diff --git a/routers/api/v1/org/org.go b/routers/api/v1/org/org.go
@@ -20,12 +20,11 @@ import (
 
 func listUserOrgs(ctx *context.APIContext, u *models.User) {
 	listOptions := utils.GetListOptions(ctx)
-	showPrivate := ctx.IsSigned && (ctx.User.IsAdmin || ctx.User.ID == u.ID)
 
 	var opts = models.FindOrgOptions{
-		ListOptions:    listOptions,
-		UserID:         u.ID,
-		IncludePrivate: showPrivate,
+		Actor:       ctx.User,
+		ListOptions: listOptions,
+		UserID:      u.ID,
 	}
 	orgs, err := models.FindOrgs(opts)
 	if err != nil {

diff --git a/routers/web/user/profile.go b/routers/web/user/profile.go
@@ -125,11 +125,9 @@ func Profile(ctx *context.Context) {
 		ctx.Data["RenderedDescription"] = content
 	}
 
-	showPrivate := ctx.IsSigned && (ctx.User.IsAdmin || ctx.User.ID == ctxUser.ID)
-
 	orgs, err := models.FindOrgs(models.FindOrgOptions{
-		UserID:         ctxUser.ID,
-		IncludePrivate: showPrivate,
+		Actor:  ctx.User,
+		UserID: ctxUser.ID,
 	})
 	if err != nil {
 		ctx.ServerError("FindOrgs", err)
@@ -211,6 +209,7 @@ func Profile(ctx *context.Context) {
 
 		total = ctxUser.NumFollowing
 	case "activity":
+		showPrivate := ctx.IsSigned && (ctx.User.IsAdmin || ctx.User.ID == ctxUser.ID)
 		retrieveFeeds(ctx, models.GetFeedsOptions{RequestedUser: ctxUser,
 			Actor:           ctx.User,
 			IncludePrivate:  showPrivate,

diff --git a/routers/web/user/setting/profile.go b/routers/web/user/setting/profile.go
@@ -214,8 +214,8 @@ func Organization(ctx *context.Context) {
 			PageSize: setting.UI.Admin.UserPagingNum,
 			Page:     ctx.QueryInt("page"),
 		},
-		UserID:         ctx.User.ID,
-		IncludePrivate: ctx.IsSigned,
+		Actor:  ctx.User,
+		UserID: ctx.User.ID,
 	}
 
 	if opts.Page <= 0 {