Problem with Service API REST POST /item/{uuid}/{version}/comment

[SammyIsConfused]

Describe the bug When using the REST API endpoint to add a comment to an item, there are fields that you can input to set whom the comment will be posted by. However - these seem to be ignored, instead the owner of the comment is the currently logged in user (or anonymous, with the anonymous flag set).

To Reproduce Steps to reproduce the behavior:

1. Go to apidocs.do
2. Scroll down to POST /item/{uuid}/{version}/comment and click Try It Out
3. Fill out the body of the request, using a different user than the currently logged in user in the "postedBy" fields.
4. Submit the request. If the current user has permissions to post a comment to this item, it should return 201
5. Go to the item summary for the item we just posted a comment to
6. Note that the added comment is labelled as posted by the logged in user.

Expected behavior It is unclear why these fields are part of the body for the POST command - I can't think of a reason why a user would be able to "impersonate" another user to add a comment. Perhaps the "postedBy" block should be removed from this endpoint's body.

Screenshots This image shows two comments added logged in as the demosysadmin user - one anonymous and one not. The "postedBy" block in both of these test calls was actually pointing at the demostudent user, but this was ignored.

Platform:

• OpenEquella Version: 2019.2+ (probably older)
• OS: Agnostic
• Browser: Agnostic

Additional context This was found by an Edalex client - however we believe this to be a low priority, as there is little reason why anyone should be able to impersonate another user via the API. This part of the body of the endpoint should be removed, rather than fixed.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.