Opened 9 years ago

Closed 9 years ago

#1685 closed defect (fixed)

Item overview can show annotation values even if the logged in user doesn't have read permission to the annotation type

Reported by: Nicklas Nordborg Owned by: everyone
Priority: critical Milestone: BASE 3.1.1
Component: core Version:
Keywords: Cc:

Description

As an administrator do the following:

  • Create a new user (U)
  • Create a project (P) and add U to the project
  • Create two annotation types (A1 and A2) and share A1 to P but not A2.
  • Create a biosource (B) and share it to P.
  • Annotate B with A1 and A2.

Log in as U, set P as the active project and go to B:

  • The "Annotations" tab should only display the value for A1.
  • The "Overview" tab display the values for both A1 and A2 (when B is selected).

Investigations in the code seems like there is a serious flaw in the permission handling of annotations. In fact, it seems like it has (been around since the beginning of BASE. We need to replace that filter with something that doesn't allow annotations for unshared annotation types to pass through.

There is also a similar issue in the caching mechanism which was introduced in #1374. The cache must of course store all annotations, but there is currently no permission checks at all when loading annotations from the cache.

Change History (1)

comment:1 Changed 9 years ago by Nicklas Nordborg

Resolution: fixed
Status: newclosed

(In [6033]) Fixes #1685: Item overview can show annotation values even if the logged in user doesn't have read permission to the annotation type

Note: See TracTickets for help on using tickets.