Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[API] It should not be possible for a user to create an annotation they cannot delete #2287

Closed
nickstenning opened this Issue Jun 5, 2015 · 4 comments

Comments

Projects
None yet
3 participants
@nickstenning
Copy link
Contributor

commented Jun 5, 2015

At the moment it's possible for a user to create an annotation with a permissions field that prevents them from ever changing/removing that annotation. For example, if I create an annotation with an apparently correct but misformatted permissions field, such as:

{
  ...
  "permissions": {
    "read": "group:__world__",
    "admin": "acct:foo@example.com",
    "delete": "acct:foo@example.com"
   }
}

(In this example the permissions field is invalid because the values should be arrays of strings, not strings.)

Then I can never delete this annotation. More importantly, I can't fix the issue since the admin permission is also misformatted.

The special permission admin denotes the ability to update the permissions field. I'd argue that it should not be possible for an annotation created by the user acct:alice@example.com to ever create or modify an annotation in a way that the admin permission set does not include acct:alice@example.com.

@judell

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2015

s/user/developer/

Our explicit REST API is straightforward. The implicit API defined by the JSON structures in the payload is obscure.

Can we offer a validator that checks for well-formedness (which would solve this and other yet-to-be-encountered similar problems) and, over time, also offers guidance (e.g. "you're only using TextPositionSelector, your annotations will anchor more robustly if you can also use TextQuoteSelector, see [link] for details")?

If so should this issue be addressed narrowly or in that broader way?

@tilgovi

This comment has been minimized.

Copy link
Contributor

commented Jun 10, 2015

Issue should definitely be addressed very narrowly. To address it more broadly we have some philosophical questions to answer around such things as whether we want to continue allowing schemaless addition of fields. The permissions field, along with "user", "uri", "target.source" and other URI metadata, are unique in that they impact the API itself by affecting authorization and search. Most fields, like the target, text, tags, etc, do not.

@nickstenning

This comment has been minimized.

Copy link
Contributor Author

commented Jun 10, 2015

Issue should definitely be addressed very narrowly.

👍

Let's start by fixing this obvious bug/misfeature.

@nickstenning

This comment has been minimized.

Copy link
Contributor Author

commented Apr 20, 2016

This has been fixed in recent versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.