Closed Niklp09 closed 1 year ago
If I remember correctly, the user comments page was made inaccessible to non-staff since it would leak private comments. But it should still be possible to see your own comments again since it's assumed you would have access to all of them anyways.
The real fix would obviously be checking on the page, for each comment, whether the user can read the comment (is it private? if so, does user have ability to read it? (participating, or staff)), though.
Yeah, I locked access to the comments as there was a security problem. I could readd access to just your own comments, but the ideal solution would require checking per-comment whether the viewer has access
Own comments are not accessible
Steps to reproduce
Log in and try to open your comments. Results in a forbidden ressource (403)