Comments can only be deleted by the author of the comment.

physionet-django/console/templates/console/submission_info_card.html

@@ -128,13 +128,15 @@ <h5>Uploaded Documents</h5>
         <li class="list-group-item">
           <p>{{ note.content }}</p>
           <p class="small text-muted">Created by {{ note.created_by }} on {{ note.created_at }}</p>
-          <form action="{% url 'submission_info' project.slug %}" method="POST" id="internal_note_form">
-            {% csrf_token %}
-            <input type="hidden" name="note_id" value="{{ note.id }}">
-            <button class="btn btn-danger btn-rsp" type="submit" name="delete_internal_note" onclick="return confirm('Are you sure you want to delete this note?');">
-              Delete
-            </button>
-          </form>
+          {% if note.created_by == user %}
+            <form action="{% url 'submission_info' project.slug %}" method="POST" id="internal_note_form">
+              {% csrf_token %}
+              <input type="hidden" name="note_id" value="{{ note.id }}">
+              <button class="btn btn-danger btn-rsp" type="submit" name="delete_internal_note" onclick="return confirm('Are you sure you want to delete this note?');">
+                Delete
+              </button>
+            </form>
+          {% endif %}
         </li>
         {% endfor %}
 

physionet-django/console/views.py

@@ -325,8 +325,11 @@ def submission_info(request, project_slug):
     if 'delete_internal_note' in request.POST:
         note_id = request.POST['note_id']
         note = get_object_or_404(InternalNote, pk=note_id, project=project)
-        note.delete()
-        messages.success(request, "Note deleted.")
+        if note.created_by == request.user:
+            note.delete()
+            messages.success(request, "Note deleted.")
+        else:
+            messages.error(request, "You are not authorized to delete this note.")
         return redirect(f'{request.path}?tab=notes')
 
     url_prefix = notification.get_url_prefix(request)