Admin users should not be able to see private repositories on users profile page #11723

New Issue

Open

opened 2025-11-02 09:45:49 -06:00 by GiteaMirror · 5 comments

GiteaMirror commented 2025-11-02 09:45:49 -06:00

Owner

Copy Link

Originally created by @lautriva on GitHub (Sep 25, 2023).

Description

I understand that admin users have all access

But, when logged as an administrator
Private repos of other users should not be shown on their profile page https://git.example.com/{USERNAME} and only shown at https://git.example.com/admin/repos

Example

User A is an admin. User B is a regular user

User B have many repos: some private, some shared (with A as a collaborator) and some public ones

Expected behavior

User A should only sees B's public or collaborated repositories on B's public page

Actual Behavior

All B's repositories are shown

---

Gitea Version

1.20.4

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker installation with docker-compose

Database

MySQL/MariaDB

Originally created by @lautriva on GitHub (Sep 25, 2023). ### Description I understand that admin users have all access But, when logged as an administrator Private repos of other users should not be shown on their profile page `https://git.example.com/{USERNAME}` and only shown at `https://git.example.com/admin/repos` ## Example User A is an admin. User B is a regular user User B have many repos: some private, some shared (with A as a collaborator) and some public ones #### Expected behavior User A should only sees B's public or collaborated repositories on B's public page #### Actual Behavior All B's repositories are shown ---- ### Gitea Version 1.20.4 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Docker installation with docker-compose ### Database MySQL/MariaDB

GiteaMirror added the type/bug label 2025-11-02 09:45:49 -06:00

GiteaMirror commented 2025-11-02 09:45:50 -06:00

Author

Owner

Copy Link

@jrjake commented on GitHub (Oct 8, 2023):

Seems to be duplicate of #3442. With most software deployments like Gitea, OpenProject, JIRA, Confluence, typically people with administrator rights will have two accounts - their main, non-admin account and an admin account which is used exclusively for administration purposes.

Using an admin account as daily driver is kind of like logging into servers as 'root'. If computer is infected or they accidentally run command, there is lot of potential for damage.

@jrjake commented on GitHub (Oct 8, 2023): Seems to be duplicate of #3442. With most software deployments like Gitea, OpenProject, JIRA, Confluence, typically people with administrator rights will have two accounts - their main, non-admin account and an admin account which is used exclusively for administration purposes. Using an admin account as daily driver is kind of like logging into servers as 'root'. If computer is infected or they accidentally run command, there is lot of potential for damage.

GiteaMirror commented 2025-11-02 09:45:50 -06:00

Author

Owner

Copy Link

@lautriva commented on GitHub (Oct 11, 2023):

I think the code to check that is already there
For example in the main page, the Repositories list (see below) seems to honor the permissions (I don't see people's private repos)
I think its just a bug because the same permissions aren't applied between those 2 pages

@lautriva commented on GitHub (Oct 11, 2023): I think the code to check that is already there For example in the main page, the `Repositories` list (see below) seems to honor the permissions (I don't see people's private repos) I think its just a bug because the same permissions aren't applied between those 2 pages 

GiteaMirror commented 2025-11-02 09:45:50 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Oct 11, 2023):

Administrators should find the repositories from admin panel features.

@lunny commented on GitHub (Oct 11, 2023): Administrators should find the repositories from admin panel features.

GiteaMirror commented 2025-11-02 09:45:50 -06:00

Author

Owner

Copy Link

@lautriva commented on GitHub (Oct 11, 2023):

Yes I know this one, in my example I referred it as https://git.example.com/admin/repos
I know and I'm ok with the fact that here all instance repos are shown 🙂

My problem is when I check on user profile page https://git.example.com/{USERNAME}, their private repos are shown here but they shouldn't be

@lautriva commented on GitHub (Oct 11, 2023): Yes I know this one, in my example I referred it as `https://git.example.com/admin/repos` I know and I'm ok with the fact that here all instance repos are shown :slightly_smiling_face: My problem is when I check on user profile page `https://git.example.com/{USERNAME}`, their private repos are shown here but they shouldn't be

GiteaMirror commented 2025-11-02 09:45:51 -06:00

Author

Owner

Copy Link

@lautriva commented on GitHub (Dec 3, 2024):

Hi,
Any news on this one ?

@lautriva commented on GitHub (Dec 3, 2024): Hi, Any news on this one ?

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#11723