##// END OF EJS Templates
drafts-comments: don't allow to view history for others than owner....
super-admin -
r4698:94ebeff1 stable
parent child Browse files
Show More
@@ -539,8 +539,14 b' class RepoCommitsView(RepoAppView):'
539 @CSRFRequired()
539 @CSRFRequired()
540 def repo_commit_comment_history_view(self):
540 def repo_commit_comment_history_view(self):
541 c = self.load_default_context()
541 c = self.load_default_context()
542 comment_history_id = self.request.matchdict['comment_history_id']
542
543
543 comment_history_id = self.request.matchdict['comment_history_id']
544 comment = ChangesetComment.get_or_404(comment_history_id)
545 comment_owner = (comment.author.user_id == self._rhodecode_db_user.user_id)
546 if comment.draft and not comment_owner:
547 # if we see draft comments history, we only allow this for owner
548 raise HTTPNotFound()
549
544 comment_history = ChangesetCommentHistory.get_or_404(comment_history_id)
550 comment_history = ChangesetCommentHistory.get_or_404(comment_history_id)
545 is_repo_comment = comment_history.comment.repo.repo_id == self.db_repo.repo_id
551 is_repo_comment = comment_history.comment.repo.repo_id == self.db_repo.repo_id
546
552
@@ -549,8 +555,7 b' class RepoCommitsView(RepoAppView):'
549
555
550 rendered_comment = render(
556 rendered_comment = render(
551 'rhodecode:templates/changeset/comment_history.mako',
557 'rhodecode:templates/changeset/comment_history.mako',
552 self._get_template_context(c)
558 self._get_template_context(c), self.request)
553 , self.request)
554 return rendered_comment
559 return rendered_comment
555 else:
560 else:
556 log.warning('No permissions for user %s to show comment_history_id: %s',
561 log.warning('No permissions for user %s to show comment_history_id: %s',
General Comments 0
You need to be logged in to leave comments. Login now