# HG changeset patch
# User Milka Kuzminski <milka@rhodecode.com>
# Date 2021-02-23 07:44:25
# Node ID 6f8e3276054b6f7d6c63348a2a5e7360db9483d9
# Parent  cced02699b364c99435c9b3a40265be4a4db0fd0

comments: forbig removal of comments by anyone except the owners.

diff --git a/rhodecode/apps/repository/views/repo_commits.py b/rhodecode/apps/repository/views/repo_commits.py
--- a/rhodecode/apps/repository/views/repo_commits.py
+++ b/rhodecode/apps/repository/views/repo_commits.py
@@ -674,6 +674,10 @@ class RepoCommitsView(RepoAppView):
         is_repo_comment = comment.repo.repo_id == self.db_repo.repo_id
         comment_repo_admin = is_repo_admin and is_repo_comment
 
+        if comment.draft and not comment_owner:
+            # We never allow to delete draft comments for other than owners
+            raise HTTPNotFound()
+
         if super_admin or comment_owner or comment_repo_admin:
             CommentsModel().delete(comment=comment, auth_user=self._rhodecode_user)
             Session().commit()
diff --git a/rhodecode/apps/repository/views/repo_pull_requests.py b/rhodecode/apps/repository/views/repo_pull_requests.py
--- a/rhodecode/apps/repository/views/repo_pull_requests.py
+++ b/rhodecode/apps/repository/views/repo_pull_requests.py
@@ -1748,6 +1748,10 @@ class RepoPullRequestsView(RepoAppView, 
         is_repo_comment = comment.repo.repo_name == self.db_repo_name
         comment_repo_admin = is_repo_admin and is_repo_comment
 
+        if comment.draft and not comment_owner:
+            # We never allow to delete draft comments for other than owners
+            raise HTTPNotFound()
+
         if super_admin or comment_owner or comment_repo_admin:
             old_calculated_status = comment.pull_request.calculated_review_status()
             CommentsModel().delete(comment=comment, auth_user=self._rhodecode_user)