From fd76104596aa4dbbf8d68b39461419ccffd97ec6 Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Sat, 6 Feb 2021 14:39:14 -0500
Subject: [PATCH] API: prevent disclosure of unlisted/private repos

---
 api/graph/schema.resolvers.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/api/graph/schema.resolvers.go b/api/graph/schema.resolvers.go
index 6c027f5..f93dad3 100644
--- a/api/graph/schema.resolvers.go
+++ b/api/graph/schema.resolvers.go
@@ -951,7 +951,15 @@ func (r *userResolver) Repositories(ctx context.Context, obj *model.User, cursor
 		query := database.
 			Select(ctx, repo).
 			From(`repository repo`).
-			Where(`repo.owner_id = ?`, obj.ID)
+			LeftJoin(`access ON repo.id = access.repo_id`).
+			Where(sq.And{
+				sq.Or{
+					sq.Expr(`? IN (access.user_id, repo.owner_id)`,
+						auth.ForContext(ctx).UserID),
+					sq.Expr(`repo.visibility = 'public'`),
+				},
+				sq.Expr(`repo.owner_id = ?`, obj.ID),
+			})
 		repos, cursor = repo.QueryWithCursor(ctx, tx, query, cursor)
 		return nil
 	}); err != nil {
-- 
2.38.4