From 6b4cb070cce6950c034d2fdbd3497f7cf69d0d37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= <loic@dachary.org>
Date: Thu, 2 Nov 2023 15:42:22 +0100
Subject: [PATCH] enforce reqRepoReader(unit.TypeIssues) POST
 /repos/{owner}/{repo}/issues

(cherry picked from commit d3db2fa8bc85e9d67f30854bba0a4c1e8b57b015)
---
 routers/api/v1/api.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 90adeee809..092c610553 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -1154,7 +1154,7 @@ func Routes(ctx gocontext.Context) *web.Route {
 			m.Group("/{username}/{reponame}", func() {
 				m.Group("/issues", func() {
 					m.Combo("").Get(repo.ListIssues).
-						Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue)
+						Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), reqRepoReader(unit.TypeIssues), repo.CreateIssue)
 					m.Get("/pinned", reqRepoReader(unit.TypeIssues), repo.ListPinnedIssues)
 					m.Group("/comments", func() {
 						m.Get("", repo.ListRepoIssueComments)