Fix comment permissions (#28213)

This PR will fix some missed checks for private repositories' data on web routes and API routes.
2023-11-26 01:21:21 +08:00 · 2023-11-26 01:21:21 +08:00 · 882e502327
commit 882e502327
parent 80217cacfc
34 changed files with 417 additions and 105 deletions
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -1259,8 +1259,8 @@ func Routes() *web.Route {
 			m.Group("/{username}/{reponame}", func() {
 				m.Group("/issues", func() {
 					m.Combo("").Get(repo.ListIssues).
-						Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue)
-					m.Get("/pinned", repo.ListPinnedIssues)
+						Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), reqRepoReader(unit.TypeIssues), repo.CreateIssue)
+					m.Get("/pinned", reqRepoReader(unit.TypeIssues), repo.ListPinnedIssues)
 					m.Group("/comments", func() {
 						m.Get("", repo.ListRepoIssueComments)
 						m.Group("/{id}", func() {