Opened 8 years ago
Closed 8 years ago
#2033 closed defect (fixed)
Permissions for annotating items may be incorrectly implemented
Reported by: | Nicklas Nordborg | Owned by: | everyone |
---|---|---|---|
Priority: | major | Milestone: | BASE 3.10 |
Component: | core | Version: | |
Keywords: | Cc: |
Description
I might be wrong but I have always though that in order to be able to annotate an item the logged in user must have WRITE permission on the item and USE permission on the annotation type.
However there seems to be nothing at all in the current implementation that checks the permission on the annotation type implying that READ permission on the annotation type is enough. Setting up a test case confirm this.
The only exception to this is the new Annotation Batcher API introduced in BASE 3.8 (see #2000) which actually has a check for USE permission on the annotation type (AnnotationBatcher line 430).
It might well be that it is the batcher API that is incorrect, but in any case there is an inconsistency between the regular API and the batch API. I think the regular API should be fixed, though this may require a lot of work to make sure that other related things (web interface, caching, etc.) continue to work since I think only the WRITE permission on the item is checked in most cases.
Change History (8)
comment:2 by , 8 years ago
comment:3 by , 8 years ago
comment:4 by , 8 years ago
(In [7206]) References #2033: Permissions for annotating items may be incorrectly implemented
Changes in the web interface (Annotations tab) so that the "edit" icon is only visible if the user has permission to modify or create an annotation.
The edit dialog will still list all annotations but editing is disabled for read-only annotations.
comment:5 by , 8 years ago
comment:6 by , 8 years ago
comment:7 by , 8 years ago
comment:8 by , 8 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
One other way to test this is to use the annotation importer plug-in. Since BASE 3.8 it uses the Batch API. But it still presents the user with a list of all annotation types with READ permission. Mapping a column to an annotation with only READ permission causes a runtime exception:
Adding the annotation manually works.