Correct comments another users in PR #6461

New Issue

Open

opened 2025-11-02 06:56:46 -06:00 by GiteaMirror · 7 comments

GiteaMirror commented 2025-11-02 06:56:46 -06:00

Owner

Copy Link

Originally created by @melmus on GitHub (Dec 4, 2020).

• Gitea version (or commit ref):
  1.14.0+dev-225-g5bd05331c
  1.14.0+dev-315-gbb50ab286
• Git version:
  2.26.2
• Operating system:
  Ubuntu 18.04.5 LTS
  Gitea running in docker
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
• Log gist:

Description

In pull request I can correct comments from another users.

Screenshots

Originally created by @melmus on GitHub (Dec 4, 2020). <!-- NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue --> <!-- 1. Please speak English, this is the language all maintainers can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/gitea) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.14.0+dev-225-g5bd05331c 1.14.0+dev-315-gbb50ab286 - Git version: 2.26.2 - Operating system: Ubuntu 18.04.5 LTS Gitea running in docker <!-- Please include information on whether you built gitea yourself, used one of our downloads or are using some other package --> <!-- Please also tell us how you are running gitea, e.g. if it is being run from docker, a command-line, systemd etc. ---> <!-- If you are using a package or systemd tell us what distribution you are using --> - Database (use `[x]`): - [X] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - Log gist: <!-- It really is important to provide pertinent logs --> <!-- Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems --> <!-- In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini --> ## Description In pull request I can correct comments from another users. ## Screenshots  <!-- **If this issue involves the Web Interface, please include a screenshot** -->

GiteaMirror added the type/enhancement label 2025-11-02 06:56:46 -06:00

GiteaMirror commented 2025-11-02 06:56:47 -06:00

Author

Owner

Copy Link

@lafriks commented on GitHub (Dec 4, 2020):

If you have administrative rights for this repository (owner or in org team with admin level) you are allowed to do that

@lafriks commented on GitHub (Dec 4, 2020): If you have administrative rights for this repository (owner or in org team with admin level) you are allowed to do that

GiteaMirror commented 2025-11-02 06:56:47 -06:00

Author

Owner

Copy Link

@vnkmpf commented on GitHub (Jan 5, 2021):

I noticed the same problem - any user can edit or delete anybody else's comment.
The repo has no organization, owner is one user (admin) where other users are collaborators with write access (when tested with read-only access, they were not able to edit or delete).
The users also don't have admin role in user accounts.

And it happens to me in 1.13.1 and also happened in 1.13.0.

@vnkmpf commented on GitHub (Jan 5, 2021): I noticed the same problem - any user can edit or delete anybody else's comment. The repo has no organization, owner is one user (admin) where other users are collaborators with write access (when tested with read-only access, they were not able to edit or delete). The users also don't have admin role in user accounts. And it happens to me in 1.13.1 and also happened in 1.13.0.

GiteaMirror commented 2025-11-02 06:56:47 -06:00

Author

Owner

Copy Link

@vnkmpf commented on GitHub (Feb 16, 2021):

@lafriks I checked the code, and to me it looks like admin level was true before refactoring. PR #5314 changed this
I observe that anybody with writing rights can edit and delete anybody else's comments.

It's probably not only on back-end, changes were made in displaying context menu in PR comment (https://github.com/go-gitea/gitea/pull/10872/files#diff-d998e758fb6c1244cd2d75550a1ecbd64065e0e8bf155d89e95bd7aec72ad55fR13)

Is this expected behavior?
I would personally expect, that people who can change / delete comments are:

• owners,
• admins,
• authors of the comment.

@vnkmpf commented on GitHub (Feb 16, 2021): @lafriks I checked the code, and to me it looks like admin level was true before refactoring. PR #5314 [changed this](https://github.com/go-gitea/gitea/pull/5314/files#diff-48c8791f86b36b38bb6d8c33cbf71ecda001cf5985ad99c66b99541afbe21169R1166) I observe that anybody with writing rights can edit and delete anybody else's comments. It's probably not only on back-end, changes were made in displaying context menu in PR comment (https://github.com/go-gitea/gitea/pull/10872/files#diff-d998e758fb6c1244cd2d75550a1ecbd64065e0e8bf155d89e95bd7aec72ad55fR13) Is this expected behavior? I would personally expect, that people who can change / delete comments are: - owners, - admins, - authors of the comment.

GiteaMirror commented 2025-11-02 06:56:48 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Feb 16, 2021):

I noticed the same problem - any user can edit or delete anybody else's comment.
The repo has no organization, owner is one user (admin) where other users are collaborators with write access (when tested with read-only access, they were not able to edit or delete).

Write access in the case of issues - means editing other users comments and issues.

@zeripath commented on GitHub (Feb 16, 2021): > I noticed the same problem - any user can edit or delete anybody else's comment. > The repo has no organization, owner is one user (admin) where other users are collaborators with write access (when tested with read-only access, they were not able to edit or delete). Write access in the case of issues - means editing other users comments and issues.

GiteaMirror commented 2025-11-02 06:56:48 -06:00

Author

Owner

Copy Link

@vnkmpf commented on GitHub (Feb 16, 2021):

So is it not possible to give people access to write (push) to a repository without also giving them access to edit/delete other users' review comments?

@vnkmpf commented on GitHub (Feb 16, 2021): So is it not possible to give people access to write (push) to a repository without also giving them access to edit/delete other users' review comments?

GiteaMirror commented 2025-11-02 06:56:48 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Feb 16, 2021):

Hmm... I guess this is yet another example of how collaborators are just too coarse permission system. I seriously think we should just have teams here.

@zeripath commented on GitHub (Feb 16, 2021): Hmm... I guess this is yet another example of how collaborators are just too coarse permission system. I seriously think we should just have teams here.

GiteaMirror commented 2025-11-02 06:56:48 -06:00

Author

Owner

Copy Link

@sgabenov commented on GitHub (Dec 25, 2023):

If you have administrative rights for this repository (owner or in org team with admin level) you are allowed to do that

I don't think admin should have rights to correct messages. Only to delete.
This lay lead to a problem, when you can write something on behalf of another user.

@sgabenov commented on GitHub (Dec 25, 2023): > If you have administrative rights for this repository (owner or in org team with admin level) you are allowed to do that I don't think admin should have rights to correct messages. Only to delete. This lay lead to a problem, when you can write something on behalf of another user.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#6461