fix: improve visibility of mismatched repository & package visibility (#12627)

A concern has been raised to the security team that Forgejo users can be confused by the visibility of packages in Forgejo being linked to the owner of the package, and not the repository that a package may be linked to. While future feature requests may change how package visibility works, an immediately actionable response is to ensure that this is clearer to end-users. This PR adds a warning on the Settings -> Unit page of a private repository, and the Packages tab of a private repository, if the owner of the repository is public. It also renames the unit "Enable repository package registry" to "Enable package linking", to better reflect the fact that enabling packages on a repository does not create some repository-level registry. **Before**: ![image](/attachments/bf304466-e921-482d-9ba0-473e10775d68) **After**: ![20260518_091806](/attachments/1f9dee3f-5b83-4b30-95f2-6f49eb7b5070) **On repository's Packages tab**: ![20260518_091821](/attachments/ebb8fad0-0db6-4490-9c13-898876134438) ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12627 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-06-22 10:02:15 +00:00 · 2026-05-20 20:25:11 +02:00 · 2026-05-20 20:25:11 +02:00 · 6244e333b1
commit 6244e333b1
parent 29eddd311b
4 changed files with 15 additions and 2 deletions
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@ -2192,7 +2192,7 @@ settings.default_update_style_desc=Default update style used for updating pull r
 settings.pulls.default_delete_branch_after_merge = Delete pull request branch after merge by default
 settings.pulls.default_allow_edits_from_maintainers = Allow edits from maintainers by default
 settings.releases_desc = Enable repository releases
-settings.packages_desc = Enable repository package registry
+settings.packages_desc = Enable package linking
 settings.projects_desc = Enable repository projects
 settings.actions_desc = Enable integrated CI/CD pipelines with Forgejo Actions
 settings.admin_settings = Administrator settings
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@ -93,6 +93,7 @@
 	"repo.pulls.status_checks_skipped": "Skipped",
 	"repo.form.cannot_create": "All spaces in which you can create repositories have reached the limit of repositories.",
 	"repo.view.gitmodules_too_large": "The .gitmodules file is too large and will be ignored (on API calls for instance)",
+	"repo.packages.visibility_warning": "This repository is private, but linked packages are public (owner %s is public).",
 	"migrate.select.title": "Migrate repository",
 	"migrate.form.error.url_credentials": "The URL contains credentials, put them in the username and password fields respectively",
 	"migrate.github.description": "Migrate data from github.com or GitHub Enterprise server.",
--- a/templates/repo/packages.tmpl
+++ b/templates/repo/packages.tmpl
@ -2,7 +2,13 @@
 <div role="main" aria-label="{{.Title}}" class="page-content repository packages">
 	{{template "repo/header" .}}
 	<div class="ui container">
-	{{template "package/shared/list" .}}
+		{{if (and .Repository.IsPrivate .Repository.Owner.Visibility.IsPublic)}}
+			<div class="ui warning message flash-message flash-warning">
+				{{svg "octicon-alert"}}
+				{{ctx.Locale.Tr "repo.packages.visibility_warning" .Repository.OwnerName}}
+			</div>
+		{{end}}
+		{{template "package/shared/list" .}}
 	</div>
 </div>
 {{template "base/footer" .}}
--- a/templates/repo/settings/units/overview.tmpl
+++ b/templates/repo/settings/units/overview.tmpl
@ -40,6 +40,12 @@
 			<input class="enable-system" name="enable_packages" type="checkbox" {{if $isPackagesEnabled}}checked{{end}}>
 			<label>{{ctx.Locale.Tr "repo.settings.packages_desc"}}</label>
 		</div>
+		{{if (and .Repository.IsPrivate .Repository.Owner.Visibility.IsPublic)}}
+			<span class="ui yellow label warning">
+				{{svg "octicon-alert"}}
+				{{ctx.Locale.Tr "repo.packages.visibility_warning" .Repository.OwnerName}}
+			</span>
+		{{end}}
 	</div>

 	{{if .EnableActions}}