tenseleyflow/shithub / 2fad8e4

+	// 6a. Author-self-close on issues and PRs. The author of an issue or

+	//     PR is allowed to close (and reopen — same Action) their own

+	//     thread regardless of their collaborator role. Handlers populate

+	//     `repo.AuthorUserID` on the close path; everywhere else the

+	//     field is zero and this branch is dead. Suspension and archived

+	//     gates above still apply — they ran before this. Note: we do NOT

+	//     extend this to `ActionIssueLabel`/`ActionIssueAssign`; only the

+	//     close action is author-self by design (matches GitHub).

+	if (action == ActionIssueClose || action == ActionPullClose) &&

+		repo.AuthorUserID != 0 && repo.AuthorUserID == actor.UserID {

+		return allow("author of thread")

+	}

+

+

+// EffectiveRole returns the actor's resolved role on repo, taking

+// owner-equals-admin into account and consulting the per-request cache.

+//

+// Use this when a handler needs to ask "is this actor at least X" for a

+// rule that doesn't map cleanly to an Action — for example, the

+// locked-issue gate which lets triage+ comment despite the lock without

+// granting them any other write permission.

+//

+// Returns RoleNone for anonymous actors and on any DB error; callers

+// should treat RoleNone as "no permissions."

+func EffectiveRole(ctx context.Context, d Deps, actor Actor, repo RepoRef) Role {

+	if actor.IsAnonymous {

+		return RoleNone

+	}

+	r, err := effectiveRole(ctx, d, actor, repo)

+	if err != nil {

+		return RoleNone

+	}

+	return r

+}

+

+// HasRoleAtLeast is the convenience shorthand for the common case:

+// "does this actor hold at least `want` on this repo?" Wraps

+// EffectiveRole + RoleAtLeast.

+func HasRoleAtLeast(ctx context.Context, d Deps, actor Actor, repo RepoRef, want Role) bool {

+	return RoleAtLeast(EffectiveRole(ctx, d, actor, repo), want)

+}

+// TestAddComment_LockedAllowsCollab is the positive companion to the

+// previous test: when the orchestrator is told `IsCollab=true` the

+// locked gate must yield. This guards the policy contract — a triage+

+// collaborator is allowed to post past a lock so they can wrap up

+// drive-by spam threads. (S00-S25 audit, finding C3.)

+func TestAddComment_LockedAllowsCollab(t *testing.T) {

+	pool, deps, uid, rid := setup(t)

+	ctx := context.Background()

+	row, err := issues.Create(ctx, deps, issues.CreateParams{

+		RepoID: rid, AuthorUserID: uid, Title: "lock-me", Body: "",

+	})

+	if err != nil {

+		t.Fatalf("Create: %v", err)

+	}

+	if err := issues.SetLock(ctx, deps, uid, row.ID, true, "spam"); err != nil {

+		t.Fatalf("SetLock: %v", err)

+	}

+	uq := usersdb.New()

+	collab, err := uq.CreateUser(ctx, pool, usersdb.CreateUserParams{

+		Username: "tessie", DisplayName: "Tessie", PasswordHash: fixtureHash,

+	})

+	if err != nil {

+		t.Fatalf("CreateUser: %v", err)

+	}

+	c, err := issues.AddComment(ctx, deps, issues.CommentCreateParams{

+		IssueID:      row.ID,

+		AuthorUserID: collab.ID,

+		Body:         "wrapping up the thread",

+		IsCollab:     true,

+	})

+	if err != nil {

+		t.Fatalf("expected lock bypass for collab, got %v", err)

+	}

+	if c.ID == 0 {

+		t.Errorf("returned comment had zero ID")

+	}

+}

+

+		Audit:   h.d.Audit,

+	// IsCollab is the locked-issue bypass: triage+ on the repo can comment

+	// past a `locked=true` flag (the gate exists to silence drive-by

+	// posters). We resolve the *real* role via the policy package — owner

+	// is implicit admin, and any explicit collaborator with role >= triage

+	// passes. Read fails (DB miss, unknown role) fail closed via RoleNone.

+	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)

+	isCollab := policy.HasRoleAtLeast(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.NewRepoRefFromRepo(row), policy.RoleTriage)

+	// Two-pass authorization: read access first, then ActionIssueClose

+	// with `repo.AuthorUserID = issue.AuthorUserID` set so the policy

+	// engine grants author-self-close. Without the second pass, an

+	// issue's reporter who isn't a triage collaborator couldn't close

+	// their own thread — which the audit flagged (S00-S25, H1).

+	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionIssueRead)

+	viewer := middleware.CurrentUserFromContext(r.Context())

+	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)

+	repoRef := policy.NewRepoRefFromRepo(row)

+	if issue.AuthorUserID.Valid {

+		repoRef.AuthorUserID = issue.AuthorUserID.Int64

+	}

+	if dec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionIssueClose, repoRef); !dec.Allow {

+		h.d.Render.HTTPError(w, r, policy.Maybe404(dec, repoRef, actor), "")

+		return

+	}