From 79f0b1a50b99022fd1e31f4b38e6e574ba354c29 Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Wed, 20 Oct 2021 22:26:48 +0200
Subject: [PATCH] Ensure correct SSH permissions check for private and
 restricted users (#17370) (#17373)

Repositories owned by private users and organisations and pulls by restricted users
need to have permissions checked. Previously Serv would simply assumed that if the
user could log in and the repository was not private then it would be visible.

Fix #17364

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
---
 routers/private/serv.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/routers/private/serv.go b/routers/private/serv.go
index 6e39790eb504..3367959ac6b4 100644
--- a/routers/private/serv.go
+++ b/routers/private/serv.go
@@ -278,7 +278,12 @@ func ServCommand(ctx *context.PrivateContext) {
 	}
 
 	// Permissions checking:
-	if repoExist && (mode > models.AccessModeRead || repo.IsPrivate || setting.Service.RequireSignInView) {
+	if repoExist &&
+		(mode > models.AccessModeRead ||
+			repo.IsPrivate ||
+			owner.Visibility.IsPrivate() ||
+			user.IsRestricted ||
+			setting.Service.RequireSignInView) {
 		if key.Type == models.KeyTypeDeploy {
 			if deployKey.Mode < mode {
 				ctx.JSON(http.StatusUnauthorized, private.ErrServCommand{