Repository ownership visibility

[lws803]

Description

This PR implements robust access control for private repositories, ensuring they are only visible and accessible to their owners.

Previously, private repositories could be viewed or accessed indirectly through various public feeds, API endpoints, or by non-owners. This change centralizes visibility checks and applies them across all user-facing read paths.

Key changes include:

• Centralized Visibility Logic: A new repository-visibility.ts helper provides functions to determine if a user can access a given repository based on its public status or ownership via the repositories_users table.
• Enforced Access on Repo Pages & Status: Direct access to /[org]/[repo] and /[org]/[repo]/status/[status] pages now requires ownership for private repos.
• Subscription Bypass Prevention: Non-owners can no longer subscribe to private repositories to indirectly view activity.
• Global Feed Filtering: All public feeds (homepage, API, RSS) now only display public repositories, plus any private repositories owned by the currently authenticated user.
• Repo-Specific API & RSS Access: Dedicated API and RSS routes for specific repositories (/api/feed/[org]/[repo]) now enforce ownership for private repos, returning a 404 for unauthorized access.
• Sitemap Exclusion: Private repositories are excluded from the sitemap.
• Cache-Safety for RSS: Global and repo-specific RSS feeds now use appropriate Cache-Control headers (private, no-store) when user-owned private repos might be included, preventing caching of personalized content.

How to test

1. Create a private repository:
   • Log in as UserA.
   • Create a new private repository (e.g., UserA/private-repo).
2. Verify owner access:
   • As UserA, navigate to UserA/private-repo. Verify full access to the repo page, feed, and status updates.
   • Check the global feed while logged in as UserA; UserA/private-repo should appear.
   • Verify UserA can subscribe/unsubscribe to UserA/private-repo.
3. Verify non-owner restriction:
   • Log out or log in as UserB (who is not an owner of UserA/private-repo).
   • Attempt to navigate to UserA/private-repo. Verify a 404 page is displayed.
   • Check the global feed while logged out or as UserB; UserA/private-repo should not appear.
   • Attempt to subscribe to UserA/private-repo as UserB. Verify this action is prevented.
   • Access the API endpoints for UserA/private-repo (e.g., /api/feed/UserA/private-repo). Verify a 404 or unauthorized response.
4. Verify public repository behavior:
   • Create a public repository (e.g., UserA/public-repo).
   • Verify UserA/public-repo is accessible to both UserA and UserB (and logged-out users).
   • Verify UserA/public-repo appears in global feeds for all users.

---

  

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nom	Ready	Preview, Comment	Mar 1, 2026 0:55am