# HG changeset patch
# User Marcin Lulek <mlulek@rhodecode.com>
# Date 2019-03-11 07:46:12
# Node ID fb1ebe4a276635583e471d14cb99351549936d69
# Parent  e3a8a05299547dda475bc2e23ce222ea191ad2ad

comments[security]: make an additional check to forbid solving comments from other repo scope.

diff --git a/rhodecode/model/comment.py b/rhodecode/model/comment.py
--- a/rhodecode/model/comment.py
+++ b/rhodecode/model/comment.py
@@ -259,8 +259,18 @@ class CommentsModel(BaseModel):
         # check if the comment actually belongs to this PR
         if resolved_comment and resolved_comment.pull_request and \
                 resolved_comment.pull_request != pull_request:
+            log.warning('Comment tried to resolved unrelated todo comment: %s',
+                        resolved_comment)
             # comment not bound to this pull request, forbid
             resolved_comment = None
+
+        elif resolved_comment and resolved_comment.repo and \
+                resolved_comment.repo != repo:
+            log.warning('Comment tried to resolved unrelated todo comment: %s',
+                        resolved_comment)
+            # comment not bound to this repo, forbid
+            resolved_comment = None
+
         comment.resolved_comment = resolved_comment
 
         pull_request_id = pull_request