id summary reporter owner description type status priority milestone component version resolution keywords cc 2033 Permissions for annotating items may be incorrectly implemented Nicklas Nordborg everyone "I might be wrong but I have always though that in order to be able to annotate an item the logged in user must have WRITE permission on the item and USE permission on the annotation type. However there seems to be nothing at all in the current implementation that checks the permission on the annotation type implying that READ permission on the annotation type is enough. Setting up a test case confirm this. The only exception to this is the new Annotation Batcher API introduced in BASE 3.8 (see #2000) which actually has a check for USE permission on the annotation type ([source:/branches/3.8-stable/src/core/net/sf/basedb/core/AnnotationBatcher.java#L415 AnnotationBatcher line 430]). It might well be that it is the batcher API that is incorrect, but in any case there is an inconsistency between the regular API and the batch API. I think the regular API should be fixed, though this may require a lot of work to make sure that other related things (web interface, caching, etc.) continue to work since I think only the WRITE permission on the item is checked in most cases. " defect closed major BASE 3.10 core fixed