Bug: repos query on browse frontend ignores project is_public #58

New issue

Closed

opened 2026-03-01 22:26:10 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-03-01 22:26:10 +00:00

Owner

Copy link

Plan

plan-2026-02-28-knowledge-system-consolidation — Phase 4 (Privacy Audit)

Repo

pal-e-docs — the repo where the code change happens

User Story

As an unauthenticated visitor browsing pal-e-docs
I need repos belonging to private projects to be hidden
So that internal infrastructure repos are not leaked on the public browse frontend

Acceptance Criteria

When I visit /browse/ or /browse/repos without logging in
Then I only see repos whose parent project has is_public = true

When I visit /browse/ or /browse/repos while logged in
Then I see all repos regardless of project visibility

Additional Information

src/pal_e_docs/routes/frontend.py:

• Line 79 (landing page): repos = db.query(Repo)... — no public filter applied
• Lines 226-227 (/browse/repos): same unfiltered db.query(Repo), plus db.query(Project) also unfiltered

The pattern already exists: _apply_project_public_filter (line 29) filters projects. Repos need an equivalent filter that joins through Repo.project and checks Project.is_public. The /browse/repos route also passes an unfiltered project list to the template.

Discovered during the Phase 4 privacy audit. 13 infra-sensitive notes were already made private. This is the remaining code fix to fully close Phase 4.

Checklist

• PR opened with related notes
• Tests cover the acceptance criteria
• Docs updated if needed

Related

• project-pal-e-docs — parent project
• plan-2026-02-28-knowledge-system-consolidation — Phase 4
• issue-pal-e-docs-repos-public-filter — pal-e-docs issue note

### Plan `plan-2026-02-28-knowledge-system-consolidation` — Phase 4 (Privacy Audit) ### Repo `pal-e-docs` — the repo where the code change happens ### User Story As an unauthenticated visitor browsing pal-e-docs I need repos belonging to private projects to be hidden So that internal infrastructure repos are not leaked on the public browse frontend ### Acceptance Criteria When I visit `/browse/` or `/browse/repos` without logging in Then I only see repos whose parent project has `is_public = true` When I visit `/browse/` or `/browse/repos` while logged in Then I see all repos regardless of project visibility ### Additional Information `src/pal_e_docs/routes/frontend.py`: - **Line 79** (landing page): `repos = db.query(Repo)...` — no public filter applied - **Lines 226-227** (`/browse/repos`): same unfiltered `db.query(Repo)`, plus `db.query(Project)` also unfiltered The pattern already exists: `_apply_project_public_filter` (line 29) filters projects. Repos need an equivalent filter that joins through `Repo.project` and checks `Project.is_public`. The `/browse/repos` route also passes an unfiltered project list to the template. Discovered during the Phase 4 privacy audit. 13 infra-sensitive notes were already made private. This is the remaining code fix to fully close Phase 4. ### Checklist - [ ] PR opened with related notes - [ ] Tests cover the acceptance criteria - [ ] Docs updated if needed ### Related - `project-pal-e-docs` — parent project - `plan-2026-02-28-knowledge-system-consolidation` — Phase 4 - `issue-pal-e-docs-repos-public-filter` — pal-e-docs issue note

forgejo_admin referenced this issue from a commit 2026-03-01 22:33:41 +00:00

fix: filter repos by project is_public on browse frontend (#58)

forgejo_admin referenced this issue 2026-03-01 22:33:58 +00:00

fix: filter repos by project is_public on browse frontend (#58) #59

forgejo_admin referenced this issue 2026-03-02 05:07:38 +00:00

fix: filter repos by project is_public on browse frontend (#58) #59

forgejo_admin referenced this issue 2026-03-02 05:29:38 +00:00

fix: filter repos by project is_public on browse frontend (#58) #59

forgejo_admin referenced this issue from a commit 2026-03-02 05:37:36 +00:00

fix: filter repos by project is_public on browse frontend (#58)

forgejo_admin referenced this issue from a commit 2026-03-02 05:43:41 +00:00

fix: filter repos by project is_public on browse frontend (#58) (#59)

forgejo_admin closed this issue 2026-03-02 06:26:41 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

158-incident-fix-migration-crash-drop-hnsw-i

128-add-jinja2-template-rendering-endpoint-p

132-fix-template-endpoint-qa-nits-is-public

123-clean-up-test-seed-block-objects-with-nu

124-harden-anchor-id-column-to-not-null

119-generate-anchor-ids-for-all-block-types

111-7e-1a-qa-nits-cleanup-redundant-assignme

11-fix-repos-formatting

5-browse-frontend

1-scaffold-project

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-api#58

No description provided.