Merge pull request #4902 from dodona-edu/fix/403-saved-annotations

Avoid 403 errors when a user cannot access linked saved annotations
dodona-edu · Aug 17, 2023 · 1be48ad · 1be48ad
2 parents cd97690 + 239d015
commit 1be48ad
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/app/views/annotations/_annotation.json.jbuilder b/app/views/annotations/_annotation.json.jbuilder
@@ -1,4 +1,4 @@
-json.extract! annotation, :id, :line_nr, :annotation_text, :user_id, :submission_id, :saved_annotation_id, :created_at, :updated_at, :course_id, :column, :rows, :columns
+json.extract! annotation, :id, :line_nr, :annotation_text, :user_id, :submission_id, :created_at, :updated_at, :course_id, :column, :rows, :columns
 json.row annotation.line_nr || 0
 if annotation.is_a?(Question)
   json.extract! annotation, :question_state
@@ -41,3 +41,6 @@ json.responses annotation.responses do |response|
   json.partial! response, as: :annotation
 end
 json.thread_root_id annotation.thread_root_id
+
+# Only include the saved annotation id if the user is allowed to see it
+json.saved_annotation_id annotation.saved_annotation_id if annotation.saved_annotation.present? && SavedAnnotationPolicy.new(current_user, annotation.saved_annotation).show?