# HG changeset patch # User Milka Kuzminski # Date 2021-02-23 07:44:25 # Node ID 6f8e3276054b6f7d6c63348a2a5e7360db9483d9 # Parent cced02699b364c99435c9b3a40265be4a4db0fd0 comments: forbig removal of comments by anyone except the owners. diff --git a/rhodecode/apps/repository/views/repo_commits.py b/rhodecode/apps/repository/views/repo_commits.py --- a/rhodecode/apps/repository/views/repo_commits.py +++ b/rhodecode/apps/repository/views/repo_commits.py @@ -674,6 +674,10 @@ class RepoCommitsView(RepoAppView): is_repo_comment = comment.repo.repo_id == self.db_repo.repo_id comment_repo_admin = is_repo_admin and is_repo_comment + if comment.draft and not comment_owner: + # We never allow to delete draft comments for other than owners + raise HTTPNotFound() + if super_admin or comment_owner or comment_repo_admin: CommentsModel().delete(comment=comment, auth_user=self._rhodecode_user) Session().commit() diff --git a/rhodecode/apps/repository/views/repo_pull_requests.py b/rhodecode/apps/repository/views/repo_pull_requests.py --- a/rhodecode/apps/repository/views/repo_pull_requests.py +++ b/rhodecode/apps/repository/views/repo_pull_requests.py @@ -1748,6 +1748,10 @@ class RepoPullRequestsView(RepoAppView, is_repo_comment = comment.repo.repo_name == self.db_repo_name comment_repo_admin = is_repo_admin and is_repo_comment + if comment.draft and not comment_owner: + # We never allow to delete draft comments for other than owners + raise HTTPNotFound() + if super_admin or comment_owner or comment_repo_admin: old_calculated_status = comment.pull_request.calculated_review_status() CommentsModel().delete(comment=comment, auth_user=self._rhodecode_user)