From 079703f69547352f16db89e570a58681dd3c75d2 Mon Sep 17 00:00:00 2001
From: Farhaan Bukhsh <farhaan.bukhsh@gmail.com>
Date: Apr 14 2017 10:32:37 +0000
Subject: Document code and fix condition to filter


Code documentation is done as pointed by @pingou and @jcline

The condition private == username is removed because there was no need to filter,
the filtering needs to be done when a different user is viewing the projects.

---

diff --git a/pagure/lib/__init__.py b/pagure/lib/__init__.py
index 17759db..2b1b728 100644
--- a/pagure/lib/__init__.py
+++ b/pagure/lib/__init__.py
@@ -1997,14 +1997,9 @@ def search_projects(
         projects = projects.filter(
             model.Project.private == False
         )
-    elif private == username:
-        projects = projects.filter(
-            sqlalchemy.or_(
-                model.Project.private == False,
-                model.Project.private == True,
-            )
-        )
-    elif isinstance(private, basestring):
+    # No filtering is done if private == username i.e  if the owner of the
+    # project is viewing the project
+    elif isinstance(private, basestring) and private != username:
         projects = projects.filter(
                 sqlalchemy.or_(
                     model.Project.private == False,
diff --git a/pagure/templates/settings.html b/pagure/templates/settings.html
index 8894d29..7da9140 100644
--- a/pagure/templates/settings.html
+++ b/pagure/templates/settings.html
@@ -41,12 +41,14 @@
               <input class="form-control" name="tags" value="{{ repo.tags_text |join(', ') if repo.tags else '' }}" />
               <small class="text-muted">tags for project (separated by commas)</small>
             </fieldset>
-            <fieldset class="form-group">
-                <label class="c-input c-checkbox">Private</lable>
-                  <input type="checkbox" value="private" name="private" {%
-                      if repo.private -%}checked=""{%- endif -%}/>
-                  <span class="c-indicator"></span>
-            </fieldset>
+            {% if config.get('PRIVATE_PROJECTS', False) %}
+                <fieldset class="form-group">
+                    <label class="c-input c-checkbox">Private</lable>
+                    <input type="checkbox" value="private" name="private" {%
+                        if repo.private -%}checked=""{%- endif -%}/>
+                    <span class="c-indicator"></span>
+                </fieldset>
+            {% endif %}
             <button class="btn btn-primary" type="submit" title="Update description">
               Update
             </button>
diff --git a/pagure/ui/app.py b/pagure/ui/app.py
index 2a3ad95..aa10da2 100644
--- a/pagure/ui/app.py
+++ b/pagure/ui/app.py
@@ -181,6 +181,8 @@ def view_users(username=None):
     users = pagure.lib.search_user(SESSION, pattern=username)
 
     private = False
+    # Condition to check non-authorized user should't be able to access private
+    # project of other users
     if authenticated() and username == flask.g.fas_user.username:
         private = flask.g.fas_user.username
 
diff --git a/pagure/ui/plugins.py b/pagure/ui/plugins.py
index 6f79b0d..363a4b3 100644
--- a/pagure/ui/plugins.py
+++ b/pagure/ui/plugins.py
@@ -74,6 +74,9 @@ def view_plugin(repo, plugin, username=None, namespace=None, full=True):
             403,
             'You are not allowed to change the settings for this project')
 
+    # Private repos are not allowed to leak information outside so disabling CI
+    # enables us to keep the repos totally discreate and prevents from leaking
+    # information outside
     if repo.private and plugin == 'Pagure CI':
         flask.abort(404, 'Plugin disabled')