id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc 1685,Item overview can show annotation values even if the logged in user doesn't have read permission to the annotation type,Nicklas Nordborg,everyone,"As an administrator do the following: * Create a new user (U) * Create a project (P) and add U to the project * Create two annotation types (A1 and A2) and share A1 to P but not A2. * Create a biosource (B) and share it to P. * Annotate B with A1 and A2. Log in as U, set P as the active project and go to B: * The ""Annotations"" tab should only display the value for A1. * The ""Overview"" tab display the values for both A1 and A2 (when B is selected). Investigations in the code seems like there is a serious flaw in the permission handling of annotations. In fact, it seems like it has ([http://base.thep.lu.se/browser/tags/2.0/src/core/net/sf/basedb/core/Annotation.java#L56 been around since the beginning of BASE]. We need to replace that filter with something that doesn't allow annotations for unshared annotation types to pass through. There is also a similar issue in the caching mechanism which was introduced in #1374. The cache must of course store all annotations, but there is currently no permission checks at all when loading annotations from the cache.",defect,closed,critical,BASE 3.1.1,core,,fixed,,