fixes annotation editor controller (#2587)

* fixes annotation editor controller * updated REST ful permissions
GMOD · Feb 26, 2021 · 3888f79 · 3888f79
1 parent 99c85e8
commit 3888f79
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 7 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -15,7 +15,7 @@ Bug Fixes:
 - Bad coordinate value in genomic element details screen in annotator panel [2559](https://github.com/GMOD/Apollo/issues/2559).
 - Web services indicated user had no organism permissions when checking the login [2554](https://github.com/GMOD/Apollo/issues/2554).
 - Vcf reads as ISO-8859-1 instead of UTF-8 from reader mangling some symbols. [2498](https://github.com/GMOD/Apollo/issues/2498).
-- Added security fixes for web services. [2564](https://github.com/GMOD/Apollo/pull/2564).
+- Added security fixes for web services. [2564](https://github.com/GMOD/Apollo/pull/2564), [2587](https://github.com/GMOD/Apollo/pull/2587).
 - In some cases web services tries to create a preference which results in incorrect results [2580](https://github.com/GMOD/Apollo/issues/2580).
 - For the track service, the overlap filter is too restrictive when converting NCList to JSON [2586](https://github.com/GMOD/Apollo/issues/2586).
 

diff --git a/grails-app/controllers/org/bbop/apollo/AnnotationEditorController.groovy b/grails-app/controllers/org/bbop/apollo/AnnotationEditorController.groovy
@@ -137,14 +137,16 @@ class AnnotationEditorController extends AbstractApolloController implements Ann
         if (!inputObject.track && inputObject.sequence) {
             inputObject.track = inputObject.sequence  // support some legacy
         }
-        inputObject.put(FeatureStringEnum.USERNAME.value, SecurityUtils.subject.principal)
         JSONArray featuresArray = inputObject.getJSONArray(FeatureStringEnum.FEATURES.value)
-        permissionService.checkPermissions(inputObject, PermissionEnum.READ)
-
-        JSONObject historyContainer = jsonWebUtilityService.createJSONFeatureContainer();
-        historyContainer = featureEventService.generateHistory(historyContainer, featuresArray)
+        if(permissionService.hasPermissions(inputObject, PermissionEnum.READ)){
+            JSONObject historyContainer = jsonWebUtilityService.createJSONFeatureContainer();
+            historyContainer = featureEventService.generateHistory(historyContainer, featuresArray)
+            render historyContainer as JSON
+        }
+        else{
+            render status: HttpStatus.UNAUTHORIZED
+        }
 
-        render historyContainer as JSON
     }