Fix issue & comment history bugs (#29525)

* Follow #17746: `HasIssueContentHistory` should use expr builder to make sure zero value (0) be respected. * Add "doer" check to make sure `canSoftDeleteContentHistory` only be called by sign-in users.
2025-07-23 02:38:35 +00:00 · 2024-03-02 00:46:02 +08:00
parent 3b99066aa8
commit 4b8293aa09
3 changed files with 26 additions and 7 deletions
--- a/routers/web/repo/issue_content_history.go
+++ b/routers/web/repo/issue_content_history.go
@@ -94,7 +94,7 @@ func canSoftDeleteContentHistory(ctx *context.Context, issue *issues_model.Issue
 	// CanWrite means the doer can manage the issue/PR list
 	if ctx.Repo.IsOwner() || ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) {
 		canSoftDelete = true
-	} else {
+	} else if ctx.Doer != nil {
 		// for read-only users, they could still post issues or comments,
 		// they should be able to delete the history related to their own issue/comment, a case is:
 		// 1. the user posts some sensitive data
@@ -186,6 +186,10 @@ func SoftDeleteContentHistory(ctx *context.Context) {
 	if ctx.Written() {
 		return
 	}
+	if ctx.Doer == nil {
+		ctx.NotFound("Require SignIn", nil)
+		return
+	}

 	commentID := ctx.FormInt64("comment_id")
 	historyID := ctx.FormInt64("history_id")