Permissions for annotating items may be incorrectly implemented
|Reported by:||Nicklas Nordborg||Owned by:||everyone|
I might be wrong but I have always though that in order to be able to annotate an item the logged in user must have WRITE permission on the item and USE permission on the annotation type.
However there seems to be nothing at all in the current implementation that checks the permission on the annotation type implying that READ permission on the annotation type is enough. Setting up a test case confirm this.
It might well be that it is the batcher API that is incorrect, but in any case there is an inconsistency between the regular API and the batch API. I think the regular API should be fixed, though this may require a lot of work to make sure that other related things (web interface, caching, etc.) continue to work since I think only the WRITE permission on the item is checked in most cases.