From 84754fbe0d375fb0ba9b9c1be27b4dff334fd04b Mon Sep 17 00:00:00 2001
From: Tom Pollard <tpollard@mit.edu>
Date: Thu, 11 Jul 2024 14:16:29 -0400
Subject: [PATCH] Comments can only be deleted by the author of the comment.

---
 .../templates/console/submission_info_card.html  | 16 +++++++++-------
 physionet-django/console/views.py                |  7 +++++--
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/physionet-django/console/templates/console/submission_info_card.html b/physionet-django/console/templates/console/submission_info_card.html
index 54660df23..9013a2d16 100644
--- a/physionet-django/console/templates/console/submission_info_card.html
+++ b/physionet-django/console/templates/console/submission_info_card.html
@@ -128,13 +128,15 @@ <h5>Uploaded Documents</h5>
         <li class="list-group-item">
           <p>{{ note.content }}</p>
           <p class="small text-muted">Created by {{ note.created_by }} on {{ note.created_at }}</p>
-          <form action="{% url 'submission_info' project.slug %}" method="POST" id="internal_note_form">
-            {% csrf_token %}
-            <input type="hidden" name="note_id" value="{{ note.id }}">
-            <button class="btn btn-danger btn-rsp" type="submit" name="delete_internal_note" onclick="return confirm('Are you sure you want to delete this note?');">
-              Delete
-            </button>
-          </form>
+          {% if note.created_by == user %}
+            <form action="{% url 'submission_info' project.slug %}" method="POST" id="internal_note_form">
+              {% csrf_token %}
+              <input type="hidden" name="note_id" value="{{ note.id }}">
+              <button class="btn btn-danger btn-rsp" type="submit" name="delete_internal_note" onclick="return confirm('Are you sure you want to delete this note?');">
+                Delete
+              </button>
+            </form>
+          {% endif %}
         </li>
         {% endfor %}
 
diff --git a/physionet-django/console/views.py b/physionet-django/console/views.py
index fba45aec7..7311353de 100644
--- a/physionet-django/console/views.py
+++ b/physionet-django/console/views.py
@@ -325,8 +325,11 @@ def submission_info(request, project_slug):
     if 'delete_internal_note' in request.POST:
         note_id = request.POST['note_id']
         note = get_object_or_404(InternalNote, pk=note_id, project=project)
-        note.delete()
-        messages.success(request, "Note deleted.")
+        if note.created_by == request.user:
+            note.delete()
+            messages.success(request, "Note deleted.")
+        else:
+            messages.error(request, "You are not authorized to delete this note.")
         return redirect(f'{request.path}?tab=notes')
 
     url_prefix = notification.get_url_prefix(request)