From 87c64f655a6085f23499156504e039c13da77b21 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 12 Dec 2022 23:02:51 +0800
Subject: [PATCH] Fix permission check on issue/pull lock (#22110)

Fix #21826
---
 routers/web/web.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/routers/web/web.go b/routers/web/web.go
index 99c2a8391..f9d97758a 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -655,7 +655,6 @@ func RegisterRoutes(m *web.Route) {
 	reqRepoReleaseWriter := context.RequireRepoWriter(unit.TypeReleases)
 	reqRepoReleaseReader := context.RequireRepoReader(unit.TypeReleases)
 	reqRepoWikiWriter := context.RequireRepoWriter(unit.TypeWiki)
-	reqRepoIssueWriter := context.RequireRepoWriter(unit.TypeIssues)
 	reqRepoIssueReader := context.RequireRepoReader(unit.TypeIssues)
 	reqRepoPullsReader := context.RequireRepoReader(unit.TypePullRequests)
 	reqRepoIssuesOrPullsWriter := context.RequireRepoWriterOr(unit.TypeIssues, unit.TypePullRequests)
@@ -992,8 +991,8 @@ func RegisterRoutes(m *web.Route) {
 					})
 				})
 				m.Post("/reactions/{action}", web.Bind(forms.ReactionForm{}), repo.ChangeIssueReaction)
-				m.Post("/lock", reqRepoIssueWriter, web.Bind(forms.IssueLockForm{}), repo.LockIssue)
-				m.Post("/unlock", reqRepoIssueWriter, repo.UnlockIssue)
+				m.Post("/lock", reqRepoIssuesOrPullsWriter, web.Bind(forms.IssueLockForm{}), repo.LockIssue)
+				m.Post("/unlock", reqRepoIssuesOrPullsWriter, repo.UnlockIssue)
 				m.Post("/delete", reqRepoAdmin, repo.DeleteIssue)
 			}, context.RepoMustNotBeArchived())
 			m.Group("/{index}", func() {