fix(issues): only allow edit of own comments & do not allow non-admin delete of issues with comments (#2248)

2025-09-17 17:24:35 +02:00 · 2021-10-30 19:54:01 -04:00
parent 0828b008ba
commit bba09d69c1
5 changed files with 63 additions and 59 deletions
--- a/server/routes/issue.ts
+++ b/server/routes/issue.ts
@@ -302,7 +302,7 @@ issueRoutes.delete('/:issueId', async (req, res, next) => {

    if (
      !req.user?.hasPermission(Permission.MANAGE_ISSUES) &&
-      issue.createdBy.id !== req.user?.id
+      (issue.createdBy.id !== req.user?.id || issue.comments.length > 1)
    ) {
      return next({
        status: 401,
--- a/server/routes/issueComment.ts
+++ b/server/routes/issueComment.ts
@@ -68,13 +68,10 @@ issueCommentRoutes.put<
        where: { id: Number(req.params.commentId) },
      });

-      if (
-        !req.user?.hasPermission([Permission.MANAGE_ISSUES], { type: 'or' }) &&
-        comment.user.id !== req.user?.id
-      ) {
+      if (comment.user.id !== req.user?.id) {
        return next({
          status: 403,
-          message: 'You do not have permission to edit this comment.',
+          message: 'You can only edit your own comments.',
        });
      }