From 6bffaf5ecfe4c54f923612df9df25800f1180c12 Mon Sep 17 00:00:00 2001
From: Gusted <williamzijl7@hotmail.com>
Date: Sat, 4 Jun 2022 18:58:47 +0200
Subject: [PATCH 1/4] Move `/info` outside authorization

- To use the web's API to get information about a issue/pull on a
repository, doesn't require authorization(nor that the repository isn't
archived).
- Regressed by: #19318
---
 routers/web/web.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/routers/web/web.go b/routers/web/web.go
index 1e550286f9eb1..3e837c62d09d1 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -835,6 +835,11 @@ func RegisterRoutes(m *web.Route) {
 		m.Combo("/compare/*", repo.MustBeNotEmpty, reqRepoCodeReader, repo.SetEditorconfigIfExists).
 			Get(ignSignIn, repo.SetDiffViewStyle, repo.SetWhitespaceBehavior, repo.CompareDiff).
 			Post(reqSignIn, context.RepoMustNotBeArchived(), reqRepoPullsReader, repo.MustAllowPulls, bindIgnErr(forms.CreateIssueForm{}), repo.SetWhitespaceBehavior, repo.CompareAndPullRequestPost)
+		m.Group("/{type:issues|pulls}", func() {
+			m.Group("/{index}", func() {
+				m.Get("/info", repo.GetIssueInfo)
+			})
+		})
 	}, context.RepoAssignment, context.UnitTypes())
 
 	// Grouping for those endpoints that do require authentication
@@ -851,7 +856,6 @@ func RegisterRoutes(m *web.Route) {
 		// So they can apply their own enable/disable logic on routers.
 		m.Group("/{type:issues|pulls}", func() {
 			m.Group("/{index}", func() {
-				m.Get("/info", repo.GetIssueInfo)
 				m.Post("/title", repo.UpdateIssueTitle)
 				m.Post("/content", repo.UpdateIssueContent)
 				m.Post("/deadline", bindIgnErr(structs.EditDeadlineOption{}), repo.UpdateIssueDeadline)

From 5a574d5580aa372d95cd0ef327705bfcfacbeaf3 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Sat, 4 Jun 2022 19:10:02 +0100
Subject: [PATCH 2/4] Check we can read the issue we are looking at

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 routers/web/repo/issue.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index 079ccbf6cf968..d0ddf70485585 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -1799,6 +1799,27 @@ func GetIssueInfo(ctx *context.Context) {
 		}
 		return
 	}
+
+	if issue.IsPull {
+		// Need to check if Pulls are enabled and we can read Pulls
+		if !ctx.Repo.Repository.CanEnablePulls() || !ctx.Repo.CanRead(unit.TypePullRequests) {
+			ctx.Error(http.StatusNotFound)
+			return
+		}
+	} else {
+		// Need to check if Issues are enabled and we can read Issues
+		if !ctx.Repo.CanRead(unit.TypeIssues) &&
+			!ctx.Repo.CanRead(unit.TypeExternalTracker) {
+			ctx.Error(http.StatusNotFound)
+			return
+		}
+		_, err := ctx.Repo.Repository.GetUnit(unit.TypeExternalTracker)
+		if err == nil {
+			ctx.Error(http.StatusNotFound)
+			return
+		}
+	}
+
 	ctx.JSON(http.StatusOK, convert.ToAPIIssue(issue))
 }
 

From ab9edc29327c8c9e044180396013931299297245 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Sat, 4 Jun 2022 19:12:28 +0100
Subject: [PATCH 3/4] Update routers/web/repo/issue.go

---
 routers/web/repo/issue.go | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index d0ddf70485585..a53ebff3820ce 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -1808,13 +1808,7 @@ func GetIssueInfo(ctx *context.Context) {
 		}
 	} else {
 		// Need to check if Issues are enabled and we can read Issues
-		if !ctx.Repo.CanRead(unit.TypeIssues) &&
-			!ctx.Repo.CanRead(unit.TypeExternalTracker) {
-			ctx.Error(http.StatusNotFound)
-			return
-		}
-		_, err := ctx.Repo.Repository.GetUnit(unit.TypeExternalTracker)
-		if err == nil {
+		if !ctx.Repo.CanRead(unit.TypeIssues)  {
 			ctx.Error(http.StatusNotFound)
 			return
 		}

From 8a32fe6041cd9d6408248bb75819cb1552965958 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Sat, 4 Jun 2022 19:31:05 +0100
Subject: [PATCH 4/4] fix fmt

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 routers/web/repo/issue.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index a53ebff3820ce..d418907a1f17c 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -1808,7 +1808,7 @@ func GetIssueInfo(ctx *context.Context) {
 		}
 	} else {
 		// Need to check if Issues are enabled and we can read Issues
-		if !ctx.Repo.CanRead(unit.TypeIssues)  {
+		if !ctx.Repo.CanRead(unit.TypeIssues) {
 			ctx.Error(http.StatusNotFound)
 			return
 		}