[v14.0/forgejo] fix: ignore private .profile repo on user profile page (#10495)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/10486 Fixes #4202 Co-authored-by: Bram Hagens <bram@bramh.me> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10495 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2025-12-20 07:06:26 +01:00 · 2025-12-20 07:06:26 +01:00 · 44102c47d4
commit 44102c47d4
parent fed7d64861
2 changed files with 34 additions and 2 deletions
--- a/routers/web/shared/user/header.go
+++ b/routers/web/shared/user/header.go
@ -97,8 +97,8 @@ func PrepareContextForProfileBigAvatar(ctx *context.Context) {
 func FindUserProfileReadme(ctx *context.Context, doer *user_model.User) (profileDbRepo *repo_model.Repository, profileGitRepo *git.Repository, profileReadmeBlob *git.Blob, profileClose func()) {
 	profileDbRepo, err := repo_model.GetRepositoryByName(ctx, ctx.ContextUser.ID, ".profile")
 	if err == nil {
-		// Don't show profile content if .profile repository is a fork
-		if profileDbRepo.IsFork {
+		// Don't show profile content if .profile repository is a fork or private
+		if profileDbRepo.IsFork || profileDbRepo.IsPrivate {
 			return nil, nil, nil, func() {}
 		}
 		perm, err := access_model.GetUserRepoPermission(ctx, profileDbRepo, doer)
--- a/tests/integration/user_profile_test.go
+++ b/tests/integration/user_profile_test.go
@ -170,5 +170,37 @@ quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequa
 			assert.True(t, forkedRepo.IsFork, "Repository should be marked as a fork")
 			assert.Equal(t, originalRepo.ID, forkedRepo.ForkID, "Fork should reference original repository")
 		})
+
+		t.Run("private-profile-repo", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+			// Create a private .profile repository
+			profileRepo, _, f := tests.CreateDeclarativeRepo(t, user2, ".profile", nil, nil, []*files_service.ChangeRepoFile{
+				{
+					Operation:     "update",
+					TreePath:      "README.md",
+					ContentReader: strings.NewReader("# Private Profile Content\nThis should NOT show up on user profile."),
+				},
+			})
+			defer f()
+
+			// Make the repository private
+			profileRepo.IsPrivate = true
+			err := repo_service.UpdateRepository(git.DefaultContext, profileRepo, true)
+			require.NoError(t, err)
+
+			// Verify that user2's profile does NOT show the private content
+			req := NewRequest(t, "GET", "/user2")
+			resp := MakeRequest(t, req, http.StatusOK)
+			bodyStr := resp.Body.String()
+
+			assert.NotContains(t, bodyStr, "Private Profile Content", "Private .profile repo should NOT render profile content")
+			assert.NotContains(t, bodyStr, "This should NOT show up on user profile", "Private .profile repo should NOT render profile content")
+
+			// Verify the repository is actually private
+			assert.True(t, profileRepo.IsPrivate, "Repository should be marked as private")
+		})
 	})
 }