[v14.0/forgejo] fix: comment attachment API is more restrictive than the web UI (#11742)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/11623 The permission check for editing the attachments of a comment (adding or removing them) is changed to be the same as when editing the textual body of the comment. The poster of a comment can always edit it via the web UI, which includes the ability to remove or add attachments. It does not require write permission on the issue or pull unit of the repository. The API is consistent with the web UI in how it [verifies permissions for editing comments][0] when modifying the textual content. However, when adding or removing the attachments of a comment, it [also requires write permissions][1] on the issue or pull unit, which is inconsistent with the web UI and more restrictive. [0]: a581059606/routers/api/v1/repo/issue_comment.go (L606) [1]: a581059606/routers/api/v1/repo/issue_comment_attachment.go (L359) Co-authored-by: limiting-factor <limiting-factor@posteo.com> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11742 Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2026-05-12 22:10:25 +00:00 · 2026-03-19 04:19:17 +01:00 · 2026-03-19 04:19:17 +01:00 · 72d35af26a
commit 72d35af26a
parent eac5cb9a64
2 changed files with 6 additions and 4 deletions
--- a/routers/api/v1/repo/issue_comment_attachment.go
+++ b/routers/api/v1/repo/issue_comment_attachment.go
@ -356,8 +356,8 @@ func canUserWriteIssueCommentAttachment(ctx *context.APIContext) bool {
 	// ctx.Comment is assumed to be set in a safe way via a middleware
 	comment := ctx.Comment

-	canEditComment := ctx.IsSigned && (ctx.Doer.ID == comment.PosterID || ctx.IsUserRepoAdmin() || ctx.IsUserSiteAdmin()) && ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull)
-	if !canEditComment {
+	cannotEditComment := !ctx.IsSigned || (ctx.Doer.ID != comment.PosterID && !ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull))
+	if cannotEditComment {
 		ctx.Error(http.StatusForbidden, "", "user should have permission to edit comment")
 		return false
 	}
--- a/tests/integration/api_comment_attachment_test.go
+++ b/tests/integration/api_comment_attachment_test.go
@ -96,12 +96,14 @@ func TestAPIListCommentAttachments(t *testing.T) {
 func TestAPICreateCommentAttachment(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()

-	comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 2})
+	comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 3})
 	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: comment.IssueID})
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
 	repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	commentPoster := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: comment.PosterID})

-	session := loginUser(t, repoOwner.Name)
+	session := loginUser(t, commentPoster.Name)
+	require.NotEqual(t, commentPoster.Name, repoOwner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)

 	filename := "image.png"