fix permission check for creating comment while mail (#22524)

only creating comment on locked issue request write permission,
for others, read permission is enough.

related to https://github.com/go-gitea/gitea/pull/22056

/cc @KN4CK3R

---------

Signed-off-by: a1012112796 <1012112796@qq.com>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
a1012112796 2023-01-28 17:28:55 +08:00 committed by GitHub
parent 95d9fbdcf3
commit 48f5d51908
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -71,11 +71,17 @@ func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *u
return err return err
} }
if !perm.CanWriteIssuesOrPulls(issue.IsPull) || issue.IsLocked && !doer.IsAdmin { // Locked issues require write permissions
if issue.IsLocked && !perm.CanWriteIssuesOrPulls(issue.IsPull) && !doer.IsAdmin {
log.Debug("can't write issue or pull") log.Debug("can't write issue or pull")
return nil return nil
} }
if !perm.CanReadIssuesOrPulls(issue.IsPull) {
log.Debug("can't read issue or pull")
return nil
}
switch r := ref.(type) { switch r := ref.(type) {
case *issues_model.Issue: case *issues_model.Issue:
attachmentIDs := make([]string, 0, len(content.Attachments)) attachmentIDs := make([]string, 0, len(content.Attachments))