From 18a90c2561409b2d7a5f25713fa98d87b50540a5 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Wed, 19 Aug 2015 13:04:54 +0200
Subject: [PATCH] v3: if the API is not marked as public (travis-ci.com), then
 do not allow read access to organizations the user is not a member of (note:
 private repos were never included)

---
 lib/travis/api/v3/access_control/generic.rb |  2 +-
 lib/travis/api/v3/access_control/user.rb    |  4 ++++
 spec/v3/services/organization/find_spec.rb  | 13 +++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/lib/travis/api/v3/access_control/generic.rb b/lib/travis/api/v3/access_control/generic.rb
index 2ed00476..c6bab377 100644
--- a/lib/travis/api/v3/access_control/generic.rb
+++ b/lib/travis/api/v3/access_control/generic.rb
@@ -56,7 +56,7 @@ module Travis::API::V3
     end
 
     def organization_visible?(organization)
-      unrestricted_api?
+      full_access? or public_api?
     end
 
     def user_visible?(user)
diff --git a/lib/travis/api/v3/access_control/user.rb b/lib/travis/api/v3/access_control/user.rb
index b0b93f15..e48bb577 100644
--- a/lib/travis/api/v3/access_control/user.rb
+++ b/lib/travis/api/v3/access_control/user.rb
@@ -25,6 +25,10 @@ module Travis::API::V3
 
     protected
 
+    def organization_visible?(organization)
+      super or organization_writable?(organization)
+    end
+
     def organization_writable?(organization)
       organization.members.include? user
     end
diff --git a/spec/v3/services/organization/find_spec.rb b/spec/v3/services/organization/find_spec.rb
index 2245441a..1ffc2654 100644
--- a/spec/v3/services/organization/find_spec.rb
+++ b/spec/v3/services/organization/find_spec.rb
@@ -19,4 +19,17 @@ describe Travis::API::V3::Services::Organization::Find do
       "avatar_url"   => nil
     }}
   end
+
+  describe 'existing org, private api' do
+    before  { Travis.config.private_api = true      }
+    before  { get("/v3/org/#{org.id}")              }
+    after   { Travis.config.private_api = false     }
+    example { expect(last_response).to be_not_found }
+    example { expect(JSON.load(body)).to be ==      {
+      "@type"         => "error",
+      "error_type"    => "not_found",
+      "error_message" =>"organization not found (or insufficient access)",
+      "resource_type" => "organization"
+    }}
+  end
 end