From 5bc3b8655ca2207d26008f0a1000b8c550105bac Mon Sep 17 00:00:00 2001
From: "m.huber" <m.huber@kithara.com>
Date: Mon, 13 Nov 2023 20:06:14 +0100
Subject: [PATCH] restricted users only see repos in orgs witch there team was
 assigned to

---
 models/repo/repo_list.go | 10 +++++-----
 models/user/search.go    |  3 ++-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/models/repo/repo_list.go b/models/repo/repo_list.go
index 1668c23c774..533ca5251fe 100644
--- a/models/repo/repo_list.go
+++ b/models/repo/repo_list.go
@@ -652,12 +652,12 @@ func AccessibleRepositoryCondition(user *user_model.User, unitType unit.Type) bu
 				userOrgTeamUnitRepoCond("`repository`.id", user.ID, unitType),
 			)
 		}
-		cond = cond.Or(
-			// 4. Repositories that we directly own
-			builder.Eq{"`repository`.owner_id": user.ID},
+		// 4. Repositories that we directly own
+		cond = cond.Or(builder.Eq{"`repository`.owner_id": user.ID})
+		if !user.IsRestricted {
 			// 5. Be able to see all public repos in private organizations that we are an org_user of
-			userOrgPublicRepoCond(user.ID),
-		)
+			cond = cond.Or(userOrgPublicRepoCond(user.ID))
+		}
 	}
 
 	return cond
diff --git a/models/user/search.go b/models/user/search.go
index 98d78e52987..59143d746e6 100644
--- a/models/user/search.go
+++ b/models/user/search.go
@@ -160,7 +160,8 @@ func BuildCanSeeUserCondition(actor *User) builder.Cond {
 				// or private users who do follow them
 				cond = cond.Or(builder.Eq{
 					"`user`.visibility": structs.VisibleTypePrivate,
-					"`user`.id":         builder.Select("follow.user_id").From("follow").Where(builder.Eq{"follow.follow_id": actor.ID})})
+					"`user`.id":         builder.Select("follow.user_id").From("follow").Where(builder.Eq{"follow.follow_id": actor.ID}),
+				})
 			}
 			// Don't forget about self
 			return cond.Or(builder.Eq{"`user`.id": actor.ID})