Do not allow Ghost access to limited visible user/org (#21849) (#21876)

Backport of #21849
1 year ago · b2369830bb
parent ef08998bf6
commit b2369830bb
1 changed files with 3 additions and 2 deletions
--- a/models/organization/org.go
+++ b/models/organization/org.go
@ -458,8 +458,9 @@ func CountOrgs(opts FindOrgOptions) (int64, error) {

 // HasOrgOrUserVisible tells if the given user can see the given org or user
 func HasOrgOrUserVisible(ctx context.Context, orgOrUser, user *user_model.User) bool {
-	// Not SignedUser
-	if user == nil {
+	// If user is nil, it's an anonymous user/request.
+	// The Ghost user is handled like an anonymous user.
+	if user == nil || user.IsGhost() {
 		return orgOrUser.Visibility == structs.VisibleTypePublic
 	}