From abe592c6e2478b943125cd3be48c24a075fa6ffd Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 29 Sep 2024 20:00:35 -0700
Subject: [PATCH] Fix repository list permissions

---
 routers/web/repo/issue.go | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index 3b395e862cb..7e3999ff3ec 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -2077,13 +2077,24 @@ func ViewIssue(ctx *context.Context) {
 	}
 
 	if ctx.IsSigned {
-		forkedRepos, err := repo_model.FindUserOrgForks(ctx, ctx.Repo.Repository.ID, ctx.Doer.ID)
+		forkedRepos, err := repo_model.GetForksByUserAndOrgs(ctx, ctx.Doer, ctx.Repo.Repository)
 		if err != nil {
-			ctx.ServerError("FindUserOrgForks", err)
+			ctx.ServerError("GetForksByUserAndOrgs", err)
 			return
 		}
+		allowedRepos := make([]*repo_model.Repository, 0, len(forkedRepos)+1)
+		for _, repo := range append(forkedRepos, ctx.Repo.Repository) {
+			perm, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
+			if err != nil {
+				ctx.ServerError("GetUserRepoPermission", err)
+				return
+			}
+			if perm.CanWrite(unit.TypeCode) {
+				allowedRepos = append(allowedRepos, repo)
+			}
+		}
 
-		ctx.Data["AllowedRepos"] = append(forkedRepos, ctx.Repo.Repository)
+		ctx.Data["AllowedRepos"] = allowedRepos
 
 		devLinks, err := issue_service.FindIssueDevLinksByIssue(ctx, issue)
 		if err != nil {