From 33affdcfc982b6a94ada361d49d460a3c4fb0c89 Mon Sep 17 00:00:00 2001
From: a1012112796 <1012112796@qq.com>
Date: Thu, 19 Jan 2023 08:04:12 +0000
Subject: [PATCH 1/2] fix permission check for creating comment while mail

only creating comment on locked issue request write permission,
for others, read permission is enough.

Signed-off-by: a1012112796 <1012112796@qq.com>
---
 services/mailer/incoming/incoming_handler.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/services/mailer/incoming/incoming_handler.go b/services/mailer/incoming/incoming_handler.go
index 173b362a5505f..3541296b48a5a 100644
--- a/services/mailer/incoming/incoming_handler.go
+++ b/services/mailer/incoming/incoming_handler.go
@@ -71,11 +71,16 @@ func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *u
 		return err
 	}
 
-	if !perm.CanWriteIssuesOrPulls(issue.IsPull) || issue.IsLocked && !doer.IsAdmin {
+	if !perm.CanWriteIssuesOrPulls(issue.IsPull) && issue.IsLocked && !doer.IsAdmin {
 		log.Debug("can't write issue or pull")
 		return nil
 	}
 
+	if !perm.CanReadIssuesOrPulls(issue.IsPull) {
+		log.Debug("can't read issue or pull")
+		return nil
+	}
+
 	switch r := ref.(type) {
 	case *issues_model.Issue:
 		attachmentIDs := make([]string, 0, len(content.Attachments))

From a18311c599420c5f55829661ef92e9ef63e9fd35 Mon Sep 17 00:00:00 2001
From: a1012112796 <1012112796@qq.com>
Date: Sat, 21 Jan 2023 15:28:02 +0800
Subject: [PATCH 2/2] Update services/mailer/incoming/incoming_handler.go

Co-authored-by: delvh <dev.lh@web.de>
---
 services/mailer/incoming/incoming_handler.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/services/mailer/incoming/incoming_handler.go b/services/mailer/incoming/incoming_handler.go
index 3541296b48a5a..d89a5eab3d1bc 100644
--- a/services/mailer/incoming/incoming_handler.go
+++ b/services/mailer/incoming/incoming_handler.go
@@ -71,7 +71,8 @@ func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *u
 		return err
 	}
 
-	if !perm.CanWriteIssuesOrPulls(issue.IsPull) && issue.IsLocked && !doer.IsAdmin {
+	// Locked issues require write permissions
+	if issue.IsLocked && !perm.CanWriteIssuesOrPulls(issue.IsPull) && !doer.IsAdmin {
 		log.Debug("can't write issue or pull")
 		return nil
 	}