fix permission check for creating comment while mail (#22524)

only creating comment on locked issue request write permission, for others, read permission is enough. related to #22056 /cc @KN4CK3R --------- Signed-off-by: a1012112796 <1012112796@qq.com> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
go-gitea · Jan 28, 2023 · 48f5d51 · 48f5d51
1 parent 95d9fbd
commit 48f5d51
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/services/mailer/incoming/incoming_handler.go b/services/mailer/incoming/incoming_handler.go
@@ -71,11 +71,17 @@ func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *u
 		return err
 	}
 
-	if !perm.CanWriteIssuesOrPulls(issue.IsPull) || issue.IsLocked && !doer.IsAdmin {
+	// Locked issues require write permissions
+	if issue.IsLocked && !perm.CanWriteIssuesOrPulls(issue.IsPull) && !doer.IsAdmin {
 		log.Debug("can't write issue or pull")
 		return nil
 	}
 
+	if !perm.CanReadIssuesOrPulls(issue.IsPull) {
+		log.Debug("can't read issue or pull")
+		return nil
+	}
+
 	switch r := ref.(type) {
 	case *issues_model.Issue:
 		attachmentIDs := make([]string, 0, len(content.Attachments))