From a0542e64313e7dc6c975cd0b0e4579086f5b9956 Mon Sep 17 00:00:00 2001
From: Florian M <fm3@users.noreply.github.com>
Date: Mon, 22 Jul 2024 09:49:05 +0200
Subject: [PATCH] =?UTF-8?q?Forbid=20editing=20other=20orga=E2=80=99s=20pub?=
 =?UTF-8?q?lic=20annotations=20(#7923)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Forbid editing other orgas public annotations

* changelog
---
 CHANGELOG.unreleased.md                            | 1 +
 app/models/annotation/AnnotationRestrictions.scala | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.unreleased.md b/CHANGELOG.unreleased.md
index 2f620aff16a..0582feccc2a 100644
--- a/CHANGELOG.unreleased.md
+++ b/CHANGELOG.unreleased.md
@@ -18,6 +18,7 @@ For upgrade instructions, please check the [migration guide](MIGRATIONS.released
 
 ### Changed
 - The warning about a mismatch between the scale of a pre-computed mesh and the dataset scale's factor now also considers all supported mags of the active segmentation layer. This reduces the false posive rate regarding this warning. [#7921](https://github.com/scalableminds/webknossos/pull/7921/)
+- It is no longer allowed to edit annotations of other organizations, even if they are set to public and to others-may-edit. [#7923](https://github.com/scalableminds/webknossos/pull/7923)
 
 ### Fixed
 - Fixed a bug that allowed the default newly created bounding box to appear outside the dataset. In case the whole bounding box would be outside it is created regardless. [#7892](https://github.com/scalableminds/webknossos/pull/7892)
diff --git a/app/models/annotation/AnnotationRestrictions.scala b/app/models/annotation/AnnotationRestrictions.scala
index 4d5a27f0276..c1cc14c7b57 100755
--- a/app/models/annotation/AnnotationRestrictions.scala
+++ b/app/models/annotation/AnnotationRestrictions.scala
@@ -68,9 +68,13 @@ class AnnotationRestrictionDefaults @Inject()(userService: UserService)(implicit
       override def allowUpdate(user: Option[User]): Fox[Boolean] =
         for {
           accessAllowed <- allowAccess(user)
+          annotationOwner <- userService.findOneCached(annotation._user)(GlobalAccessContext)
         } yield
           user.exists { user =>
-            (annotation._user == user._id || accessAllowed && annotation.othersMayEdit) && !(annotation.state == Finished) && !annotation.isLockedByOwner
+            (annotation._user == user._id || (accessAllowed && annotation.othersMayEdit)) &&
+            !(annotation.state == Finished) &&
+            !annotation.isLockedByOwner &&
+            annotationOwner._organization == user._organization
           }
 
       override def allowFinish(userOption: Option[User]): Fox[Boolean] =