Mercurial > kallithea

--- a/kallithea/controllers/changeset.py	Mon Feb 22 10:18:27 2016 +0100
+++ b/kallithea/controllers/changeset.py	Tue Apr 19 16:57:38 2016 +0200
@@ -423,11 +423,11 @@
                                    'repository.admin')
     @jsonify
     def delete_comment(self, repo_name, comment_id):
-        co = ChangesetComment.get(comment_id)
-        if not co:
-            raise HTTPBadRequest()
+        co = ChangesetComment.get_or_404(comment_id)
+        if co.repo.repo_name != repo_name:
+            raise HTTPNotFound()
         owner = co.author.user_id == c.authuser.user_id
-        repo_admin = h.HasRepoPermissionAny('repository.admin')
+        repo_admin = h.HasRepoPermissionAny('repository.admin')(repo_name)
         if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
             ChangesetCommentsModel().delete(comment=co)
             Session().commit()
--- a/kallithea/controllers/pullrequests.py	Mon Feb 22 10:18:27 2016 +0100
+++ b/kallithea/controllers/pullrequests.py	Tue Apr 19 16:57:38 2016 +0200
@@ -485,7 +485,7 @@
         #only owner or admin can update it
         owner = pull_request.owner.user_id == c.authuser.user_id
         repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name)
-        if not (h.HasPermissionAny('hg.admin') or repo_admin or owner):
+        if not (h.HasPermissionAny('hg.admin')() or repo_admin or owner):
             raise HTTPForbidden()

         _form = PullRequestPostForm()().to_python(request.POST)
@@ -788,7 +788,7 @@

         owner = co.author.user_id == c.authuser.user_id
         repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name)
-        if h.HasPermissionAny('hg.admin') or repo_admin or owner:
+        if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
             ChangesetCommentsModel().delete(comment=co)
             Session().commit()
             return True