Public Group owners/Maintainers can not delete comments posted on epics
HackerOne report #538101 by ashish_r_padelkar
on 2019-04-14, assigned to estrike
:
Summary
Hello,
I havent found any documentation as such but looks like comments posted on Epics
in any public group can not be deleted by even Group owners/maintainers
. This looks like a bug as comments posted on issues/merge requests are editable and deletable by Admins.
Steps to reproduce
-
Create a public group and then create an epic inside it (Use GOLD membership).
-
As it is public epic, anyone can comment on it by navigating on epic like
https://gitlab.com/groups/PrivateGroupofGuest/-/epics/1
. So just post a comment as any user. -
When, group owners/maintainer visits this epic, they see the comment which is posted by random user from gitlab. They dont find an option to EDIT/DELETE the comment!.
-
This way any random users may spam the epic comment box and Group Owners/Maintainers cant even delete those comments!.
What is the current bug behavior?
Group owners/Maintainers can not delete comments posted on EPIC
What is the expected correct behavior?
Group owner/Maintainers should be able to delete/edit anyones comment like it is in issues and merge requests
Output of checks
This bug happens on GitLab.com and probably on omnibus installations too
Regards,
Ashish
Impact
Anyone can spam the comments on EPIC
from public groups and then group owners/maintainers can not even edit/delete the comments posted by others