From 48f5d519088c2b33b48eb35f6ef3261e3ec677a1 Mon Sep 17 00:00:00 2001
From: a1012112796 <1012112796@qq.com>
Date: Sat, 28 Jan 2023 17:28:55 +0800
Subject: [PATCH] fix permission check for creating comment while mail (#22524)

only creating comment on locked issue request write permission,
for others, read permission is enough.

related to https://github.com/go-gitea/gitea/pull/22056

/cc @KN4CK3R

---------

Signed-off-by: a1012112796 <1012112796@qq.com>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 services/mailer/incoming/incoming_handler.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/services/mailer/incoming/incoming_handler.go b/services/mailer/incoming/incoming_handler.go
index 173b362a55..d89a5eab3d 100644
--- a/services/mailer/incoming/incoming_handler.go
+++ b/services/mailer/incoming/incoming_handler.go
@@ -71,11 +71,17 @@ func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *u
 		return err
 	}
 
-	if !perm.CanWriteIssuesOrPulls(issue.IsPull) || issue.IsLocked && !doer.IsAdmin {
+	// Locked issues require write permissions
+	if issue.IsLocked && !perm.CanWriteIssuesOrPulls(issue.IsPull) && !doer.IsAdmin {
 		log.Debug("can't write issue or pull")
 		return nil
 	}
 
+	if !perm.CanReadIssuesOrPulls(issue.IsPull) {
+		log.Debug("can't read issue or pull")
+		return nil
+	}
+
 	switch r := ref.(type) {
 	case *issues_model.Issue:
 		attachmentIDs := make([]string, 0, len(content.Attachments))