Simplify visibility checks (#20406)

Was looking into the visibility checks because I need them for something different and noticed the checks are more complicated than they have to be.

The rule is just: user/org is visible if
- The doer is a member of the org, regardless of the org visibility
- The doer is not restricted and the user/org is public or limited

models/user/search.go

@@ -59,25 +59,18 @@ func (opts *SearchUserOptions) toSearchQueryBase() *xorm.Session {
 	}
 
 	if opts.Actor != nil {
-		exprCond := builder.Expr("org_user.org_id = `user`.id")
-
 		// If Admin - they see all users!
 		if !opts.Actor.IsAdmin {
-			// Force visibility for privacy
+			// Users can see an organization they are a member of
-			var accessCond builder.Cond
+			accessCond := builder.In("id", builder.Select("org_id").From("org_user").Where(builder.Eq{"uid": opts.Actor.ID}))
 			if !opts.Actor.IsRestricted {
-				accessCond = builder.Or(
+				// Not-Restricted users can see public and limited users/organizations
-					builder.In("id", builder.Select("org_id").From("org_user").LeftJoin("`user`", exprCond).Where(builder.And(builder.Eq{"uid": opts.Actor.ID}, builder.Eq{"visibility": structs.VisibleTypePrivate}))),
+				accessCond = accessCond.Or(builder.In("visibility", structs.VisibleTypePublic, structs.VisibleTypeLimited))
-					builder.In("visibility", structs.VisibleTypePublic, structs.VisibleTypeLimited))
-			} else {
-				// restricted users only see orgs they are a member of
-				accessCond = builder.In("id", builder.Select("org_id").From("org_user").LeftJoin("`user`", exprCond).Where(builder.And(builder.Eq{"uid": opts.Actor.ID})))
 			}
 			// Don't forget about self
 			accessCond = accessCond.Or(builder.Eq{"id": opts.Actor.ID})
 			cond = cond.And(accessCond)
 		}
-
 	} else {
 		// Force visibility for privacy
 		// Not logged in - only public users