zhi/HarborForge.Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: enforce missing RBAC checks on issue/comment updates and deletes

Browse Source
This commit is contained in:
zhi
2026-03-11 10:43:31 +00:00
parent 3cf2b1bc49
commit a21026ac09
3 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/api/routers/comments.py
View File

@@ -56,10 +56,14 @@ def list_comments(issue_id: int, db: Session = Depends(get_db)):
@router.patch("/comments/{comment_id}", response_model=schemas.CommentResponse)
def update_comment(comment_id: int, comment_update: schemas.CommentUpdate, db: Session = Depends(get_db)):
def update_comment(comment_id: int, comment_update: schemas.CommentUpdate, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
comment = db.query(models.Comment).filter(models.Comment.id == comment_id).first()
if not comment:
raise HTTPException(status_code=404, detail="Comment not found")
issue = db.query(models.Issue).filter(models.Issue.id == comment.issue_id).first()
if not issue:
raise HTTPException(status_code=404, detail="Issue not found")
check_project_role(db, current_user.id, issue.project_id, min_role="viewer")
for field, value in comment_update.model_dump(exclude_unset=True).items():
setattr(comment, field, value)
db.commit()