From 079ef568247f9216a6e66c7e6038e11cc2bdd5f5 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 13 Dec 2022 03:59:50 +0800
Subject: [PATCH] Fix permission check on issue/pull lock (#22113)

backport #22110
---
 routers/web/web.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/routers/web/web.go b/routers/web/web.go
index 9e0440d09..8ab90f7ed 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -626,7 +626,6 @@ func RegisterRoutes(m *web.Route) {
 	reqRepoReleaseWriter := context.RequireRepoWriter(unit.TypeReleases)
 	reqRepoReleaseReader := context.RequireRepoReader(unit.TypeReleases)
 	reqRepoWikiWriter := context.RequireRepoWriter(unit.TypeWiki)
-	reqRepoIssueWriter := context.RequireRepoWriter(unit.TypeIssues)
 	reqRepoIssueReader := context.RequireRepoReader(unit.TypeIssues)
 	reqRepoPullsReader := context.RequireRepoReader(unit.TypePullRequests)
 	reqRepoIssuesOrPullsWriter := context.RequireRepoWriterOr(unit.TypeIssues, unit.TypePullRequests)
@@ -947,8 +946,8 @@ func RegisterRoutes(m *web.Route) {
 					})
 				})
 				m.Post("/reactions/{action}", bindIgnErr(forms.ReactionForm{}), repo.ChangeIssueReaction)
-				m.Post("/lock", reqRepoIssueWriter, bindIgnErr(forms.IssueLockForm{}), repo.LockIssue)
-				m.Post("/unlock", reqRepoIssueWriter, repo.UnlockIssue)
+				m.Post("/lock", reqRepoIssuesOrPullsWriter, bindIgnErr(forms.IssueLockForm{}), repo.LockIssue)
+				m.Post("/unlock", reqRepoIssuesOrPullsWriter, repo.UnlockIssue)
 				m.Post("/delete", reqRepoAdmin, repo.DeleteIssue)
 			}, context.RepoMustNotBeArchived())
 			m.Group("/{index}", func() {