id summary reporter owner description type status priority milestone component version resolution keywords cc 1685 Item overview can show annotation values even if the logged in user doesn't have read permission to the annotation type Nicklas Nordborg everyone "As an administrator do the following: * Create a new user (U) * Create a project (P) and add U to the project * Create two annotation types (A1 and A2) and share A1 to P but not A2. * Create a biosource (B) and share it to P. * Annotate B with A1 and A2. Log in as U, set P as the active project and go to B: * The ""Annotations"" tab should only display the value for A1. * The ""Overview"" tab display the values for both A1 and A2 (when B is selected). Investigations in the code seems like there is a serious flaw in the permission handling of annotations. In fact, it seems like it has ([http://base.thep.lu.se/browser/tags/2.0/src/core/net/sf/basedb/core/Annotation.java#L56 been around since the beginning of BASE]. We need to replace that filter with something that doesn't allow annotations for unshared annotation types to pass through. There is also a similar issue in the caching mechanism which was introduced in #1374. The cache must of course store all annotations, but there is currently no permission checks at all when loading annotations from the cache." defect closed critical BASE 3.1.1 core fixed