Commits should consider user permissions when creating comments on referenced issues

[guillep2k]

• Gitea version (or commit ref): 1.9.3

Description

Currently UpdateIssuesCommit() creates a cross-reference comment on another repository even if the user has no permission whatsoever on it.

gitea/models/action.go

Lines 572 to 600 in 63ff616

	for _, m := range issueReferenceKeywordsPat.FindAllStringSubmatch(c.Message, -1) {
	if len(m[3]) == 0 {
	continue
	}
	ref := m[3]
	// issue is from another repo
	if len(m[1]) > 0 && len(m[2]) > 0 {
	refRepo, err = GetRepositoryFromMatch(m[1], m[2])
	if err != nil {
	continue
	}
	} else {
	refRepo = repo
	}
	issue, err := getIssueFromRef(refRepo, ref)
	if err != nil {
	return err
	}
	if issue == nil || refMarked[issue.ID] {
	continue
	}
	refMarked[issue.ID] = true
	message := fmt.Sprintf(`<a href="%s/commit/%s">%s</a>`, repo.Link(), c.Sha1, html.EscapeString(c.Message))
	if err = CreateRefComment(doer, refRepo, issue, message, c.Sha1); err != nil {
	return err
	}