diff --git a/rhodecode/apps/repository/views/repo_commits.py b/rhodecode/apps/repository/views/repo_commits.py --- a/rhodecode/apps/repository/views/repo_commits.py +++ b/rhodecode/apps/repository/views/repo_commits.py @@ -674,6 +674,10 @@ class RepoCommitsView(RepoAppView): is_repo_comment = comment.repo.repo_id == self.db_repo.repo_id comment_repo_admin = is_repo_admin and is_repo_comment + if comment.draft and not comment_owner: + # We never allow to delete draft comments for other than owners + raise HTTPNotFound() + if super_admin or comment_owner or comment_repo_admin: CommentsModel().delete(comment=comment, auth_user=self._rhodecode_user) Session().commit() diff --git a/rhodecode/apps/repository/views/repo_pull_requests.py b/rhodecode/apps/repository/views/repo_pull_requests.py --- a/rhodecode/apps/repository/views/repo_pull_requests.py +++ b/rhodecode/apps/repository/views/repo_pull_requests.py @@ -1748,6 +1748,10 @@ class RepoPullRequestsView(RepoAppView, is_repo_comment = comment.repo.repo_name == self.db_repo_name comment_repo_admin = is_repo_admin and is_repo_comment + if comment.draft and not comment_owner: + # We never allow to delete draft comments for other than owners + raise HTTPNotFound() + if super_admin or comment_owner or comment_repo_admin: old_calculated_status = comment.pull_request.calculated_review_status() CommentsModel().delete(comment=comment, auth_user=self._rhodecode_user)