Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forbid editing other orga’s public annotations #7923

Merged
merged 3 commits into from
Jul 22, 2024
Merged

Forbid editing other orga’s public annotations #7923

merged 3 commits into from
Jul 22, 2024

Conversation

fm3
Copy link
Member

@fm3 fm3 commented Jul 16, 2024
edited
Loading

Issues:

Steps to test:

  • create two orgas
  • create an annotation for a public dataset, set it to public and to others-may-edit
  • another user from the same organization should be able to edit it (respecting mutex)
  • another user from a different organization should be able to view it but never edit it

@fm3 fm3 self-assigned this Jul 16, 2024
@fm3 fm3 marked this pull request as ready for review July 16, 2024 13:02
@fm3 fm3 changed the title Forbid editing other orgas public annotations Forbid editing other orga’s public annotations Jul 16, 2024
@MichaelBuessemeyer
Copy link
Contributor

Works, but the navbar shows a tag like the annotation is locked by a user (which was not the case while I tested). That might be confusing.

I'll give this a quick check whether I can hide this
image

@MichaelBuessemeyer
Copy link
Contributor

I'll give this a quick check whether I can hide this

Ok this actually rather difficult to do. The frontend needs to know whether the current user belongs to the same orga as the annotation (owner). But currently that's not the case. And I do not want to remove this info to the user as when the user is know it is actually useful.

Cf.

webknossos/frontend/javascripts/navbar.tsx

Lines 889 to 897 in 9f2eb10

if (othersMayEdit && !allowUpdate && !isLockedByOwner) {
trailingNavItems.push(
<AnnotationLockedByUserTag
key="locked-by-user-tag"
blockedByUser={blockedByUser}
activeUser={activeUser}
/>,
);
}

Let me check tomorrow, whether maybe blockedByUser == null can be used to detect this case and avoid the "Locked by unknown user" this way.

MichaelBuessemeyer
MichaelBuessemeyer approved these changes Jul 18, 2024
View reviewed changes
Copy link
Contributor

@MichaelBuessemeyer MichaelBuessemeyer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, My previous mentioned improvement is deferred to a new issue

@MichaelBuessemeyer MichaelBuessemeyer mentioned this pull request Jul 18, 2024
Open
3 tasks
@fm3 fm3 merged commit a0542e6 into master Jul 22, 2024
2 checks passed
@fm3 fm3 deleted the no-editing-other-orga-annotations branch July 22, 2024 07:49
@fm3 fm3 mentioned this pull request Jul 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MichaelBuessemeyer MichaelBuessemeyer MichaelBuessemeyer approved these changes

@philippotto philippotto Awaiting requested review from philippotto

Assignees

@fm3 fm3

Labels
backend bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

allowUpdate should be false for annotations of other orgas, even if isPublic and editableByOthers are true
2 participants
@fm3 @MichaelBuessemeyer