focalboard icon indicating copy to clipboard operation
focalboard copied to clipboard

Published 20 hours ago verified publisher icon mattermost

Adding the permissions for commenter role

Open jespino opened this issue 2 years ago • 5 comments

Adding the new permissions for add comments in the board. And showing the commenter role there.

jespino avatar Apr 21 '22 15:04 jespino

@jespino, is the intention to check this in after the v0.16 branch? If so, the changes look good.

chenilim avatar Apr 22 '22 18:04 chenilim

@chenilim yes it was

jespino avatar May 06 '22 11:05 jespino

Thanks @jespino! I realized we may also need to check this for Delete Block, because a user can currently delete their own comment. In fact, we might want to consider refactoring that for comments, or even having a separate set of APIs for comments. That might also make it easier to refactor later, e.g. when we move to using channel threads. I'm out next week, so looping in @wiggin77 as an extra pair of eyes.

chenilim avatar May 06 '22 18:05 chenilim

or even having a separate set of APIs for comments.

I'll review. In the meantime, +1 for dedicated API for comments. Will make it much easier to change how comments are stored later.

wiggin77 avatar May 06 '22 18:05 wiggin77

we may also need to check this for Delete Block, because a user can currently delete their own comment.

It would appear any user with board access can delete anyone else's comments via the DeleteBlock API.

wiggin77 avatar May 06 '22 21:05 wiggin77

we may also need to check this for Delete Block, because a user can currently delete their own comment.

It would appear any user with board access can delete anyone else's comments via the DeleteBlock API.

@wuwinson I chatted about this with @wiggin77 and we're good with creating a follow-up card to add logic to DeleteBlock since a user with board access can delete any comment ~~via the API directly~~.

edit: in more testing locally it appears it's more than just the API directly: as a Commenter I can delete any comments, even ones not my own. cc @jespino

Pinjasaur avatar Aug 18 '22 21:08 Pinjasaur

@wuwinson I chatted about this with @jespino

Yes, that makes a lot of sense, actually, the comment should be handled in a specific way there, in my opinion, you shouldn't be able to delete comments in general, doesn't matter if you are an editor

I would expect that maybe, and admin, can delete comments

but not other editor, for example

additionally, I was reviewing the spec more and it makes mention of being able to edit comments which I didn't realize initially (editing doesn't exist right now)

Pinjasaur avatar Aug 18 '22 22:08 Pinjasaur

@wuwinson I chatted about this with @jespino

Yes, that makes a lot of sense, actually, the comment should be handled in a specific way there, in my opinion, you shouldn't be able to delete comments in general, doesn't matter if you are an editor I would expect that maybe, and admin, can delete comments but not other editor, for example

additionally, I was reviewing the spec more and it makes mention of being able to edit comments which I didn't realize initially (editing doesn't exist right now)

@Pinjasaur Good catch! I updated the spec to remove the portion about editing comments since it's not supported yet. However, Commenters should be able to delete their own comments, but not others. This behavior would be consistent with Channels as well.

wuwinson avatar Aug 19 '22 18:08 wuwinson

/update-branch

wiggin77 avatar Aug 22 '22 21:08 wiggin77

Momentary hold to remove the Commenter role from a custom template.

Pinjasaur avatar Aug 23 '22 16:08 Pinjasaur

/update-branch

Pinjasaur avatar Aug 23 '22 18:08 Pinjasaur

/update-branch

Pinjasaur avatar Aug 24 '22 18:08 Pinjasaur