# HG changeset patch
# User Marcin Lulek <mlulek@rhodecode.com>
# Date 2017-06-20 17:39:19
# Node ID 76aa36403fb318a53dc57e96c7cf69e20b5acc5c
# Parent  fcaa19d486e811da07ff41608fdad7583cfed595

security: use 404 instead of 403 in case missing permissions for comment deletion.

- prevents resource discovery

diff --git a/rhodecode/controllers/changeset.py b/rhodecode/controllers/changeset.py
--- a/rhodecode/controllers/changeset.py
+++ b/rhodecode/controllers/changeset.py
@@ -448,7 +448,9 @@ class ChangesetController(BaseRepoContro
             Session().commit()
             return True
         else:
-            raise HTTPForbidden()
+            log.warning('No permissions for user %s to delete comment_id: %s',
+                        c.rhodecode_user, comment_id)
+            raise HTTPNotFound()
 
     @LoginRequired()
     @HasRepoPermissionAnyDecorator('repository.read', 'repository.write',
diff --git a/rhodecode/controllers/pullrequests.py b/rhodecode/controllers/pullrequests.py
--- a/rhodecode/controllers/pullrequests.py
+++ b/rhodecode/controllers/pullrequests.py
@@ -1013,4 +1013,6 @@ class PullrequestsController(BaseRepoCon
                     comment.pull_request, c.rhodecode_user, 'review_status_change')
             return True
         else:
-            raise HTTPForbidden()
+            log.warning('No permissions for user %s to delete comment_id: %s',
+                        c.rhodecode_user, comment_id)
+            raise HTTPNotFound()