Fix comment permissions (#28213)

This PR will fix some missed checks for private repositories' data on
web routes and API routes.

routers/api/v1/repo/issue_comment_attachment.go

@@ -329,6 +329,10 @@ func getIssueCommentSafe(ctx *context.APIContext) *issues_model.Comment {
 		return nil
 	}
 
+	if !ctx.Repo.CanReadIssuesOrPulls(comment.Issue.IsPull) {
+		return nil
+	}
+
 	comment.Issue.Repo = ctx.Repo.Repository
 
 	return comment