Disallow editing description of someone else’s annotation

CHANGELOG.md

@@ -20,6 +20,7 @@ For upgrade instructions, please check the [migration guide](MIGRATIONS.md).
 ### Fixed
 - Fixed that a node was created when using right click while brushing mode is active in hybrid tracings. [#4433](https://github.com/scalableminds/webknossos/pull/4433)
 - Fixed opening view only dataset links with arbitrary modes being initially displayed in plane mode. [#4421](https://github.com/scalableminds/webknossos/pull/4421)
+- Fixed a bug where users were wrongly allowed to edit the description of an annotation they were allowed to see but not update [#4466](https://github.com/scalableminds/webknossos/pull/4466)
 - Fixed the creation of histograms for float datasets that only have one value besides 0. [#4468](https://github.com/scalableminds/webknossos/pull/4468)
 
 ### Removed

app/controllers/AnnotationController.scala

@@ -213,6 +213,8 @@ class AnnotationController @Inject()(
   def editAnnotation(typ: String, id: String) = sil.SecuredAction.async(parse.json) { implicit request =>
     for {
       annotation <- provider.provideAnnotation(typ, id, request.identity) ~> NOT_FOUND
+      restrictions <- provider.restrictionsFor(typ, id) ?~> "restrictions.notFound" ~> NOT_FOUND
+      _ <- restrictions.allowUpdate(request.identity) ?~> "notAllowed" ~> FORBIDDEN
       name = (request.body \ "name").asOpt[String]
       description = (request.body \ "description").asOpt[String]
       visibility = (request.body \ "visibility").asOpt[String]

frontend/javascripts/oxalis/view/right-menu/dataset_info_tab_view.js

@@ -195,21 +195,36 @@ class DatasetInfoTabView extends React.PureComponent<Props> {
     }
     const tracingDescription = this.props.tracing.description || "<no description>";
 
+    let descriptionEditField;
+    if (this.props.tracing.restrictions.allowUpdate) {
+      descriptionEditField = (
+        <span style={{ verticalAlign: "top" }}>
+          Description:
+          <EditableTextLabel
+            value={tracingDescription}
+            onChange={this.setAnnotationDescription}
+            rows={4}
+            markdown
+            label="Annotation Description"
+          />
+        </span>
+      );
+    } else {
+      descriptionEditField = (
+        <span style={{ verticalAlign: "top" }}>
+          Description:
+          <Markdown
+            source={tracingDescription}
+            options={{ html: false, breaks: true, linkify: true }}
+          />
+        </span>
+      );
+    }
+
     return (
       <div className="flex-overflow">
         <p>{annotationTypeLabel}</p>
-        <p>
-          <span style={{ verticalAlign: "top" }}>
-            Description:
-            <EditableTextLabel
-              value={tracingDescription}
-              onChange={this.setAnnotationDescription}
-              rows={4}
-              markdown
-              label="Annotation Description"
-            />
-          </span>
-        </p>
+        <p>{descriptionEditField}</p>
       </div>
     );
   }