diff --git a/kallithea/controllers/changeset.py b/kallithea/controllers/changeset.py --- a/kallithea/controllers/changeset.py +++ b/kallithea/controllers/changeset.py @@ -423,11 +423,11 @@ class ChangesetController(BaseRepoContro 'repository.admin') @jsonify def delete_comment(self, repo_name, comment_id): - co = ChangesetComment.get(comment_id) - if not co: - raise HTTPBadRequest() + co = ChangesetComment.get_or_404(comment_id) + if co.repo.repo_name != repo_name: + raise HTTPNotFound() owner = co.author.user_id == c.authuser.user_id - repo_admin = h.HasRepoPermissionAny('repository.admin') + repo_admin = h.HasRepoPermissionAny('repository.admin')(repo_name) if h.HasPermissionAny('hg.admin')() or repo_admin or owner: ChangesetCommentsModel().delete(comment=co) Session().commit() diff --git a/kallithea/controllers/pullrequests.py b/kallithea/controllers/pullrequests.py --- a/kallithea/controllers/pullrequests.py +++ b/kallithea/controllers/pullrequests.py @@ -485,7 +485,7 @@ class PullrequestsController(BaseRepoCon #only owner or admin can update it owner = pull_request.owner.user_id == c.authuser.user_id repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name) - if not (h.HasPermissionAny('hg.admin') or repo_admin or owner): + if not (h.HasPermissionAny('hg.admin')() or repo_admin or owner): raise HTTPForbidden() _form = PullRequestPostForm()().to_python(request.POST) @@ -788,7 +788,7 @@ class PullrequestsController(BaseRepoCon owner = co.author.user_id == c.authuser.user_id repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name) - if h.HasPermissionAny('hg.admin') or repo_admin or owner: + if h.HasPermissionAny('hg.admin')() or repo_admin or owner: ChangesetCommentsModel().delete(comment=co) Session().commit() return True