2710: Can see and edit other users' comments before they're published

rich****@gmai***** (Google Code) (Is this you? Claim this profile.)
Sept. 11, 2012
What version are you running?

What's the URL of the page containing the problem?
not publicly available

What steps will reproduce the problem?

I'm not sure how reproducible it is.  Here is the state things are in.
1. Person A publishes a diff.
2. Person B publishes a review.
3. Person A writes comments, but doesn't publish them (yet).
4. Person C sees person A's unpublished comments and the edit button is active.  The publish button on the conversation is also active.
   a. Clicking the publish button publishes/emails a document with no comments.
   b. Editing the comment and then clicking publish duplicates the comment under Person C's name.  Person A's comment is untouched.

I did verify that person A and person C were properly logged into their respective IDs.

What is the expected output? What do you see instead?
I wouldn't expect to see anyone's (other than my) unpublished comments).

What operating system are you using? What browser?
Windows 7 x64
Chrome 21.0...

Please provide any additional information below.
#1 david
Is Person C an admin?
  • +NeedInfo
#2 rich****@gmai***** (Google Code) (Is this you? Claim this profile.)
Person C is NOT an admin.
Another person (an admin) could see the unpublished comments as well.
#3 david
  • -NeedInfo
#4 timw.a******@gmai***** (Google Code) (Is this you? Claim this profile.)
I'm not completely sure of the root cause, but here is a patch that seems to work for one case in the Reviews view (I haven't investigated related code in other views, but I've heard from my users that the diff view may experience similar problems).

The check is based on a similar test earlier in the same file.

--- a/reviewboard/reviews/views.py
+++ b/reviewboard/reviews/views.py
@@ -562,7 +562,7 @@ def review_detail(request,
-            if parent_review.is_reply():
+            if parent_review.is_reply() and (parent_review.public or (request.user.is_authenticated() and parent_review.user_id == request.user.pk)):
                 # This is a reply to a comment. Add it to the list of replies.
                 assert obj.review_id not in reviews_entry_map
                 assert parent_review.base_reply_to_id in reviews_entry_map
#5 david
Fixed in release-1.6.x (861bc59).
  • -New