From 6d6f1d568ec36786b1020f4b43cbd872228c6633 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 20 Jan 2020 20:00:32 +0800
Subject: Fix wrong permissions check when issues/prs shared operations (#9885)

* Fix wrong permissions check when issues/prs shared operations

* move redirect to the last of the function

* fix swagger

Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
---
 modules/repofiles/action.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules/repofiles')

diff --git a/modules/repofiles/action.go b/modules/repofiles/action.go
index 3be6509bc2..a1c2bd993f 100644
--- a/modules/repofiles/action.go
+++ b/modules/repofiles/action.go
@@ -104,8 +104,8 @@ func UpdateIssuesCommit(doer *models.User, repo *models.Repository, commits []*r
 			refMarked[key] = true
 
 			// FIXME: this kind of condition is all over the code, it should be consolidated in a single place
-			canclose := perm.IsAdmin() || perm.IsOwner() || perm.CanWrite(models.UnitTypeIssues) || refIssue.PosterID == doer.ID
-			cancomment := canclose || perm.CanRead(models.UnitTypeIssues)
+			canclose := perm.IsAdmin() || perm.IsOwner() || perm.CanWriteIssuesOrPulls(refIssue.IsPull) || refIssue.PosterID == doer.ID
+			cancomment := canclose || perm.CanReadIssuesOrPulls(refIssue.IsPull)
 
 			// Don't proceed if the user can't comment
 			if !cancomment {
-- 
cgit v1.2.3