# HG changeset patch
# User Marcin Lulek <mlulek@rhodecode.com>
# Date 2019-03-11 07:46:12
# Node ID 4b3c3d76f8b0f96581406aee372863ba24497365
# Parent  b36b008a6ef4e84fb66f1231d8107df70d0cf455

comments[security]: make an additional check to forbid solving comments from other repo scope.

diff --git a/rhodecode/model/comment.py b/rhodecode/model/comment.py
--- a/rhodecode/model/comment.py
+++ b/rhodecode/model/comment.py
@@ -259,8 +259,18 @@ class CommentsModel(BaseModel):
         # check if the comment actually belongs to this PR
         if resolved_comment and resolved_comment.pull_request and \
                 resolved_comment.pull_request != pull_request:
+            log.warning('Comment tried to resolved unrelated todo comment: %s',
+                        resolved_comment)
             # comment not bound to this pull request, forbid
             resolved_comment = None
+
+        elif resolved_comment and resolved_comment.repo and \
+                resolved_comment.repo != repo:
+            log.warning('Comment tried to resolved unrelated todo comment: %s',
+                        resolved_comment)
+            # comment not bound to this repo, forbid
+            resolved_comment = None
+
         comment.resolved_comment = resolved_comment
 
         pull_request_id = pull_request