Skip to content

Repository visibility model in search results is not applying correctly

Created by: quinnkeast

  • Sourcegraph.com

Originally reported in this Slack thread in relation to a request.

We have confirmed that that the collaborators each added private repositories individually through "Manage repositories," and then removed repositories in the same view by unchecking the ones they no longer wanted to search on Sourcegraph.

Steps to reproduce:

  1. On GitHub.com, create a private repository.
  2. Add a collaborator to that private repository.
  3. Both you and the collaborator should add that repository to your repositories on Sourcegraph. Verify that you can each view that repository.
  4. In this step, your collaborator should take no action. On your end, remove that repository from your repositories on Sourcegraph via the "Manage repositories" view.

Expected behaviour:

Our code visibility model is that you will only see private code on Sourcegraph Cloud if:

  • You have access to that repository on the code host AND
  • (You have added that repository to Sourcegraph OR you belong to an organization that has added that repository to Sourcegraph)

This means that once you remove a private repository from your repositories on Sourcegraph and if you don't belong to any organizations, that repository should never appear in search results, and you should not be able to confirm that repository's existence via Sourcegraph.

This model helps to make Sourcegraph's code visibility traceable—every user can always identify why they may be able to see a private repository on Sourcegraph.

Actual behaviour:

We've confirmed and reproduced the following behaviour:

  • Do a search with your personal search context and an empty search query. That repo will not appear (since this will list all repositories in your search context, and you removed that repository from your repositories on Sourcegraph).
  • Do a search that includes context:@yourCollaboratorsUsername. That repo will now appear.
  • Do a search targeting a file in that repository in the global context. That file will appear in search results.
  • Do a search targeting that repository in the global context. That repository will appear in search results.
  • View the repository directly on Sourcegraph. You will have access.