diff --git a/routers/api/v1/repo/issue_comment_attachment.go b/routers/api/v1/repo/issue_comment_attachment.go index 9edc9a3cb1..b2e0b57145 100644 --- a/routers/api/v1/repo/issue_comment_attachment.go +++ b/routers/api/v1/repo/issue_comment_attachment.go @@ -356,8 +356,8 @@ func canUserWriteIssueCommentAttachment(ctx *context.APIContext) bool { // ctx.Comment is assumed to be set in a safe way via a middleware comment := ctx.Comment - canEditComment := ctx.IsSigned && (ctx.Doer.ID == comment.PosterID || ctx.IsUserRepoAdmin() || ctx.IsUserSiteAdmin()) && ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull) - if !canEditComment { + cannotEditComment := !ctx.IsSigned || (ctx.Doer.ID != comment.PosterID && !ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull)) + if cannotEditComment { ctx.Error(http.StatusForbidden, "", "user should have permission to edit comment") return false } diff --git a/tests/integration/api_comment_attachment_test.go b/tests/integration/api_comment_attachment_test.go index 4bad3ca67e..a5e84f0cf8 100644 --- a/tests/integration/api_comment_attachment_test.go +++ b/tests/integration/api_comment_attachment_test.go @@ -96,12 +96,14 @@ func TestAPIListCommentAttachments(t *testing.T) { func TestAPICreateCommentAttachment(t *testing.T) { defer tests.PrepareTestEnv(t)() - comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 2}) + comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 3}) issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: comment.IssueID}) repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID}) repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID}) + commentPoster := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: comment.PosterID}) - session := loginUser(t, repoOwner.Name) + session := loginUser(t, commentPoster.Name) + require.NotEqual(t, commentPoster.Name, repoOwner.Name) token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue) filename := "image.png"