From 178b73fecdb82c9b189f2d6229dd93d202e72e03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E1=B4=9C=C9=B4=E1=B4=8B=C9=B4=E1=B4=A1=E1=B4=8F=C9=B4?=
 <u@gogs.io>
Date: Sat, 22 Aug 2020 13:17:45 +0800
Subject: [PATCH] repo: users have access to base repository can also view
 forks (#6261)

---
 CHANGELOG.md             |  1 +
 internal/context/repo.go | 19 +++++++++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index edf315145..91dc41b4b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -55,6 +55,7 @@ All notable changes to Gogs are documented in this file.
 - Disallow multiple tokens with same name. [#5587](https://github.com/gogs/gogs/issues/5587) [#5820](https://github.com/gogs/gogs/pull/5820)
 - Enable Federated Avatar Lookup could cause server to crash. [#5848](https://github.com/gogs/gogs/issues/5848)
 - Private repositories are hidden in the organization's view. [#5869](https://github.com/gogs/gogs/issues/5869)
+- Users have access to base repository cannot view commits in forks. [#5878](https://github.com/gogs/gogs/issues/5878)
 - Server error when changing email address in user settings page. [#5899](https://github.com/gogs/gogs/issues/5899)
 - Fall back to use RFC 3339 as time layout when misconfigured. [#6098](https://github.com/gogs/gogs/issues/6098)
 - Unable to update team with server error. [#6185](https://github.com/gogs/gogs/issues/6185)
diff --git a/internal/context/repo.go b/internal/context/repo.go
index 871b35bcb..c1b9ea303 100644
--- a/internal/context/repo.go
+++ b/internal/context/repo.go
@@ -166,11 +166,11 @@ func RepoAssignment(pages ...bool) macaron.Handler {
 		c.Data["RepoLink"] = c.Repo.RepoLink
 		c.Data["RepoRelPath"] = c.Repo.Owner.Name + "/" + c.Repo.Repository.Name
 
-		// Admin has super access.
+		// Admin has super access
 		if c.IsLogged && c.User.IsAdmin {
 			c.Repo.AccessMode = db.AccessModeOwner
 		} else {
-			mode, err := db.UserAccessMode(c.UserID(), repo)
+			mode, err := db.UserAccessMode(c.UserID(), c.Repo.Repository)
 			if err != nil {
 				c.Error(err, "get user access mode")
 				return
@@ -178,6 +178,21 @@ func RepoAssignment(pages ...bool) macaron.Handler {
 			c.Repo.AccessMode = mode
 		}
 
+		// If the authenticated user has no direct access, see if the repository is a fork
+		// and whether the user has access to the base repository.
+		if c.Repo.AccessMode == db.AccessModeNone && c.Repo.Repository.IsFork {
+			mode, err := db.UserAccessMode(c.UserID(), c.Repo.Repository.BaseRepo)
+			if err != nil {
+				c.Error(err, "get user access mode of base repository")
+				return
+			}
+			// Users shouldn't have indirect access level higher than write.
+			if mode > db.AccessModeWrite {
+				mode = db.AccessModeWrite
+			}
+			c.Repo.AccessMode = mode
+		}
+
 		// Check access
 		if c.Repo.AccessMode == db.AccessModeNone {
 			// Redirect to any accessible page if not yet on it