From 87630a6583a0bc6d9b33aae1aa5a08eea765af24 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Sun, 20 Nov 2022 13:35:26 +0100
Subject: [PATCH] Do not allow Ghost access to limited visible user/org
 (#21849) (#21875)

Backport of #21849

Co-authored-by: Lauris BH <lauris@nix.lv>
---
 models/organization/org.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/models/organization/org.go b/models/organization/org.go
index 0d4a5e337b..6e70233bc3 100644
--- a/models/organization/org.go
+++ b/models/organization/org.go
@@ -448,8 +448,9 @@ func CountOrgs(opts FindOrgOptions) (int64, error) {
 
 // HasOrgOrUserVisible tells if the given user can see the given org or user
 func HasOrgOrUserVisible(ctx context.Context, orgOrUser, user *user_model.User) bool {
-	// Not SignedUser
-	if user == nil {
+	// If user is nil, it's an anonymous user/request.
+	// The Ghost user is handled like an anonymous user.
+	if user == nil || user.IsGhost() {
 		return orgOrUser.Visibility == structs.VisibleTypePublic
 	}