Collaborator with the role "Reviewer" can delete other people's annotations
Original description from core#15 (closed):
- Create a new document
- Add the second user as Collaborator with role "Reviewer"
- Open Legal Act, highlight any text, and add Comment
- Login as a user with the role "Reviewer" and open newly created document (where Reviewer was invited)
- Open Legal Act, highlight any text, and add Comment
- Now open browser console with Network Tab and reload the page
- Search for request https://leos-demo.eu/annotate/api/search there. Open the Preview tab and find a comment that was made by the creator in the rows array. copy its ID for later usage
- Now go back to your comment (made by the Reviewer), start intercepting requests (using Burp), and delete your comment by clicking on button.
- Find DELETE request in interceptor to /annotate/api/annotations/{ID} . Replace {ID} with your copied ID (Creator Comment ID) and forward request
- Reload the page and you will see that you have deleted the comment created by Creator. More details on attached PDF
TO BE DONE: Annotate server needs to apply proper verification of the permissions to be delete an annotation. Details given by Marius:
After some investigation we discovered that there is a need of applying the same validation rights for the current user on the back-end similar to the existing ones on front-end regarding the deletion of annotations.
The similar logic from the function "isDeleteButtonShown" from the file "client/src/sidebar/components/annotation.ts" needs to be applied on the back-end inside of "RequestMethod.DELETE" methods of "AnnotationApiController.java" class
Those methods are:
public ResponseEntity bulkDeleteAnnotations()
and
public ResponseEntity deleteAnnotation()