**[HackerOne report #538101](https://hackerone.com/reports/538101)** by `ashish_r_padelkar` on 2019-04-14, assigned to `estrike`: ### Summary Hello, I havent found any documentation as such but looks like comments posted on `Epics` in any public group can not be deleted by even `Group owners/maintainers`. This looks like a bug as comments posted on issues/merge requests are editable and deletable by Admins. ### Steps to reproduce 1. Create a public group and then create an epic inside it (Use GOLD membership). 2. As it is public epic, anyone can comment on it by navigating on epic like `https://gitlab.com/groups/PrivateGroupofGuest/-/epics/1`. So just post a comment as any user. 3. When, group owners/maintainer visits this epic, they see the comment which is posted by random user from gitlab. They dont find an option to EDIT/DELETE the comment!. 4. This way any random users may spam the epic comment box and Group Owners/Maintainers cant even delete those comments!. ### What is the current *bug* behavior? Group owners/Maintainers can not delete comments posted on EPIC ### What is the expected *correct* behavior? Group owner/Maintainers should be able to delete/edit anyones comment like it is in issues and merge requests ### Output of checks This bug happens on GitLab.com and probably on omnibus installations too Regards, Ashish ## Impact Anyone can spam the comments on `EPIC` from public groups and then group owners/maintainers can not even edit/delete the comments posted by others