Fix missing check (#28406) (#28413)

backport #28406

diff --git a/routers/web/repo/issue_content_history.go b/routers/web/repo/issue_content_history.go
index b6345e434c936520a13ac0b3d07f23b3da6ae3d8..69fcb583acf71a576e8883ad24400f6c50b352c4 100644 (file)
--- a/routers/web/repo/issue_content_history.go
+++ b/routers/web/repo/issue_content_history.go
@@ -189,15 +189,29 @@ func SoftDeleteContentHistory(ctx *context.Context) {
        var comment *issues_model.Comment
        var history *issues_model.ContentHistory
        var err error
+
+       if history, err = issues_model.GetIssueContentHistoryByID(ctx, historyID); err != nil {
+               log.Error("can not get issue content history %v. err=%v", historyID, err)
+               return
+       }
+       if history.IssueID != issue.ID {
+               ctx.NotFound("CompareRepoID", issues_model.ErrCommentNotExist{})
+               return
+       }
        if commentID != 0 {
+               if history.CommentID != commentID {
+                       ctx.NotFound("CompareCommentID", issues_model.ErrCommentNotExist{})
+                       return
+               }
+
                if comment, err = issues_model.GetCommentByID(ctx, commentID); err != nil {
                        log.Error("can not get comment for issue content history %v. err=%v", historyID, err)
                        return
                }
-       }
-       if history, err = issues_model.GetIssueContentHistoryByID(ctx, historyID); err != nil {
-               log.Error("can not get issue content history %v. err=%v", historyID, err)
-               return
+               if comment.IssueID != issue.ID {
+                       ctx.NotFound("CompareIssueID", issues_model.ErrCommentNotExist{})
+                       return
+               }
        }
 
        canSoftDelete := canSoftDeleteContentHistory(ctx, issue, comment, history)

diff --git a/routers/web/repo/issue_pin.go b/routers/web/repo/issue_pin.go
index bbfeaee6e8523777ee7b897da9304531fb7ac777..6680de32a9b718aeed6b1d60ba5e6f2fe0fd4699 100644 (file)
--- a/routers/web/repo/issue_pin.go
+++ b/routers/web/repo/issue_pin.go
@@ -90,6 +90,12 @@ func IssuePinMove(ctx *context.Context) {
                return
        }
 
+       if issue.RepoID != ctx.Repo.Repository.ID {
+               ctx.Status(http.StatusNotFound)
+               log.Error("Issue does not belong to this repository")
+               return
+       }
+
        err = issue.MovePin(ctx, form.Position)
        if err != nil {
                ctx.Status(http.StatusInternalServerError)