# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-12-06 19:06:28
# Node ID 9a41d4d332df73e66f27354e28b9a78d9e7db085
# Parent  86196e6b747ca6ebdde212c58d46ab97918ac651

pull-request: verify resolve TODO comment needs to be bound to the same PR as we're calling

diff --git a/rhodecode/model/comment.py b/rhodecode/model/comment.py
--- a/rhodecode/model/comment.py
+++ b/rhodecode/model/comment.py
@@ -224,8 +224,14 @@ class CommentsModel(BaseModel):
 
         comment.repo = repo
         comment.author = user
-        comment.resolved_comment = self.__get_commit_comment(
+        resolved_comment = self.__get_commit_comment(
             validated_kwargs['resolves_comment_id'])
+        # check if the comment actually belongs to this PR
+        if resolved_comment and resolved_comment.pull_request and \
+                resolved_comment.pull_request != pull_request:
+            # comment not bound to this pull request, forbid
+            resolved_comment = None
+        comment.resolved_comment = resolved_comment
 
         pull_request_id = pull_request