Link mentioned user in markdown only if they are visible to viewer

We need to make sure a user can't confirm the existence of a user with private visibility Signed-off-by: Yarden Shoham <hrsi88@gmail.com>
yardenshoham · Oct 22, 2022 · a1c2cb3 · a1c2cb3
1 parent 63ebb53
commit a1c2cb3
Showing 1 changed file with 10 additions and 8 deletions.
diff --git a/services/markup/processorhelper.go b/services/markup/processorhelper.go
@@ -8,22 +8,24 @@ import (
 	"context"
 
 	"code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/log"
+	module_context "code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/markup"
 )
 
 func ProcessorHelper() *markup.ProcessorHelper {
 	return &markup.ProcessorHelper{
 		IsUsernameMentionable: func(ctx context.Context, username string) bool {
-			// TODO: cast ctx to modules/context.Context and use IsUserVisibleToViewer
-
-			// Only link if the user actually exists
-			userExists, err := user.IsUserExist(ctx, 0, username)
+			mentionedUser, err := user.GetUserByName(ctx, username)
 			if err != nil {
-				log.Error("Failed to validate user in mention %q exists, assuming it does", username)
-				userExists = true
+				return false
+			}
+
+			moduleCtx, ok := ctx.(*module_context.Context)
+			if !ok {
+				return false
 			}
-			return userExists
+
+			return user.IsUserVisibleToViewer(moduleCtx, mentionedUser, moduleCtx.Doer)
 		},
 	}
 }