Open dvstans opened 3 years ago
While I disagree that this is a security issue, it does highlight some bad behavior. Annotation discussions while open should be restricted to only relevant parties - no one should be able to see the annotation or any related comments. Once activated, anyone can see the annotation, but they still should not see the original discussion unless the owner wants to include it. Once active, no one should be able to add new comments. The owner should be able to edit though.
The reported issue was already fixed; however, comments above are still valid
Again, I think the annotation feature needs a redesign.
Could you open a new issue with your ideas for a new annotation design - I think this issue should be closed.
See incident report from SynAck - apparently API allows access to data that it shouldn't? This might simply be a misunderstanding of how annotations work.