Fix permission check on issue/pull lock (#22114)

Fix #22110

diff --git a/routers/web/web.go b/routers/web/web.go
index e4fea38244a1376a758c31c7e7ac1e025c762701..3bcbc6d7c04dc9653eb6fa4005e783f69fb52336 100644 (file)
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -599,7 +599,6 @@ func RegisterRoutes(m *web.Route) {
        reqRepoReleaseWriter := context.RequireRepoWriter(unit.TypeReleases)
        reqRepoReleaseReader := context.RequireRepoReader(unit.TypeReleases)
        reqRepoWikiWriter := context.RequireRepoWriter(unit.TypeWiki)
-       reqRepoIssueWriter := context.RequireRepoWriter(unit.TypeIssues)
        reqRepoIssueReader := context.RequireRepoReader(unit.TypeIssues)
        reqRepoPullsReader := context.RequireRepoReader(unit.TypePullRequests)
        reqRepoIssuesOrPullsWriter := context.RequireRepoWriterOr(unit.TypeIssues, unit.TypePullRequests)
@@ -893,8 +892,8 @@ func RegisterRoutes(m *web.Route) {
                                        })
                                })
                                m.Post("/reactions/{action}", bindIgnErr(forms.ReactionForm{}), repo.ChangeIssueReaction)
-                               m.Post("/lock", reqRepoIssueWriter, bindIgnErr(forms.IssueLockForm{}), repo.LockIssue)
-                               m.Post("/unlock", reqRepoIssueWriter, repo.UnlockIssue)
+                               m.Post("/lock", reqRepoIssuesOrPullsWriter, bindIgnErr(forms.IssueLockForm{}), repo.LockIssue)
+                               m.Post("/unlock", reqRepoIssuesOrPullsWriter, repo.UnlockIssue)
                                m.Post("/delete", reqRepoAdmin, repo.DeleteIssue)
                        }, context.RepoMustNotBeArchived())
                        m.Group("/{index}", func() {