From 4835a0ba497935b979cf47d2bc96aaeb852f81fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=8E=8B=E5=81=A5=E8=BE=89?=
 <40563566+mrwangjianhui@users.noreply.github.com>
Date: Thu, 10 Mar 2022 12:14:12 +0800
Subject: [PATCH] improve edit file_comment permission

---
 seahub/api2/endpoints/file_comment.py | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/seahub/api2/endpoints/file_comment.py b/seahub/api2/endpoints/file_comment.py
index 08bd27564b..395f230ccc 100644
--- a/seahub/api2/endpoints/file_comment.py
+++ b/seahub/api2/endpoints/file_comment.py
@@ -29,12 +29,16 @@ class FileCommentView(APIView):
     def get(self, request, repo_id, comment_id, format=None):
         """Get a comment.
         """
+        # resource check
         try:
             file_comment = FileComment.objects.get(pk=comment_id)
         except FileComment.DoesNotExist:
             return api_error(status.HTTP_400_BAD_REQUEST, 'Wrong comment id')
 
         # permission check
+        if file_comment.uuid.repo_id != repo_id:
+            return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
+
         if check_folder_permission(request, repo_id, '/') is None:
             return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
         try:
@@ -53,11 +57,16 @@ class FileCommentView(APIView):
         """Delete a comment, only comment author or repo owner can perform
         this op.
         """
+        # resource check
         try:
             file_comment = FileComment.objects.get(pk=comment_id)
         except FileComment.DoesNotExist:
             return api_error(status.HTTP_400_BAD_REQUEST, 'Wrong comment id')
 
+        # permission check
+        if file_comment.uuid.repo_id != repo_id:
+            return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
+
         username = request.user.username
         if username != file_comment.author and not is_repo_owner(request, repo_id, username):
             return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
@@ -67,7 +76,7 @@ class FileCommentView(APIView):
         return Response(status=204)
 
     def put(self, request, repo_id, comment_id, format=None):
-        """Update a comment, only comment author or repo owner can perform
+        """Update a comment, only comment author can perform
         this op
         1.Change resolved of comment
         2.Add comment_detail
@@ -88,7 +97,12 @@ class FileCommentView(APIView):
             return api_error(status.HTTP_404_NOT_FOUND, error_msg)
 
         # permission check
-        if check_folder_permission(request, repo_id, '/') != PERMISSION_READ_WRITE:
+        if file_comment.uuid.repo_id != repo_id:
+            return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
+
+        username = request.user.username
+        if username != file_comment.author or \
+                not check_folder_permission(request, repo_id, '/') != PERMISSION_READ_WRITE:
             error_msg = 'Permission denied.'
             return api_error(status.HTTP_403_FORBIDDEN, error_msg)