From 72d35af26abf20d68bab67ee23a71d5c3e5e3eb8 Mon Sep 17 00:00:00 2001 From: forgejo-backport-action Date: Thu, 19 Mar 2026 04:19:17 +0100 Subject: [PATCH] [v14.0/forgejo] fix: comment attachment API is more restrictive than the web UI (#11742) **Backport:** https://codeberg.org/forgejo/forgejo/pulls/11623 The permission check for editing the attachments of a comment (adding or removing them) is changed to be the same as when editing the textual body of the comment. The poster of a comment can always edit it via the web UI, which includes the ability to remove or add attachments. It does not require write permission on the issue or pull unit of the repository. The API is consistent with the web UI in how it [verifies permissions for editing comments][0] when modifying the textual content. However, when adding or removing the attachments of a comment, it [also requires write permissions][1] on the issue or pull unit, which is inconsistent with the web UI and more restrictive. [0]: https://codeberg.org/forgejo/forgejo/src/commit/a58105960684a456009b55d839d59a8da42e73cc/routers/api/v1/repo/issue_comment.go#L606 [1]: https://codeberg.org/forgejo/forgejo/src/commit/a58105960684a456009b55d839d59a8da42e73cc/routers/api/v1/repo/issue_comment_attachment.go#L359 Co-authored-by: limiting-factor Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11742 Co-authored-by: forgejo-backport-action Co-committed-by: forgejo-backport-action --- routers/api/v1/repo/issue_comment_attachment.go | 4 ++-- tests/integration/api_comment_attachment_test.go | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/routers/api/v1/repo/issue_comment_attachment.go b/routers/api/v1/repo/issue_comment_attachment.go index 9edc9a3cb1..b2e0b57145 100644 --- a/routers/api/v1/repo/issue_comment_attachment.go +++ b/routers/api/v1/repo/issue_comment_attachment.go @@ -356,8 +356,8 @@ func canUserWriteIssueCommentAttachment(ctx *context.APIContext) bool { // ctx.Comment is assumed to be set in a safe way via a middleware comment := ctx.Comment - canEditComment := ctx.IsSigned && (ctx.Doer.ID == comment.PosterID || ctx.IsUserRepoAdmin() || ctx.IsUserSiteAdmin()) && ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull) - if !canEditComment { + cannotEditComment := !ctx.IsSigned || (ctx.Doer.ID != comment.PosterID && !ctx.Repo.CanWriteIssuesOrPulls(comment.Issue.IsPull)) + if cannotEditComment { ctx.Error(http.StatusForbidden, "", "user should have permission to edit comment") return false } diff --git a/tests/integration/api_comment_attachment_test.go b/tests/integration/api_comment_attachment_test.go index 4bad3ca67e..a5e84f0cf8 100644 --- a/tests/integration/api_comment_attachment_test.go +++ b/tests/integration/api_comment_attachment_test.go @@ -96,12 +96,14 @@ func TestAPIListCommentAttachments(t *testing.T) { func TestAPICreateCommentAttachment(t *testing.T) { defer tests.PrepareTestEnv(t)() - comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 2}) + comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 3}) issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: comment.IssueID}) repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID}) repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID}) + commentPoster := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: comment.PosterID}) - session := loginUser(t, repoOwner.Name) + session := loginUser(t, commentPoster.Name) + require.NotEqual(t, commentPoster.Name, repoOwner.Name) token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue) filename := "image.png"