fix permission check for creating comment while mail (#22524)

only creating comment on locked issue request write permission,
for others, read permission is enough.

related to #22056

/cc @KN4CK3R

---------

Signed-off-by: a1012112796 <[email protected]>
Co-authored-by: delvh <[email protected]>
Co-authored-by: Lunny Xiao <[email protected]>

Author: 3 people

Diff for: services/mailer/incoming/incoming_handler.go

@@ -71,11 +71,17 @@ func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *u
 		return err
 	}
 
-	if !perm.CanWriteIssuesOrPulls(issue.IsPull) || issue.IsLocked && !doer.IsAdmin {
+	// Locked issues require write permissions
+	if issue.IsLocked && !perm.CanWriteIssuesOrPulls(issue.IsPull) && !doer.IsAdmin {
 		log.Debug("can't write issue or pull")
 		return nil
 	}
 
+	if !perm.CanReadIssuesOrPulls(issue.IsPull) {
+		log.Debug("can't read issue or pull")
+		return nil
+	}
+
 	switch r := ref.(type) {
 	case *issues_model.Issue:
 		attachmentIDs := make([]string, 0, len(content.Attachments))