DataFed icon indicating copy to clipboard operation
DataFed copied to clipboard
verified publisher icon ORNL

Private annotation comments visible to other users

Open dvstans opened this issue 4 years ago • 4 comments

See incident report from SynAck - apparently API allows access to data that it shouldn't? This might simply be a misunderstanding of how annotations work.

dvstans avatar Feb 26 '21 17:02 dvstans

While I disagree that this is a security issue, it does highlight some bad behavior. Annotation discussions while open should be restricted to only relevant parties - no one should be able to see the annotation or any related comments. Once activated, anyone can see the annotation, but they still should not see the original discussion unless the owner wants to include it. Once active, no one should be able to add new comments. The owner should be able to edit though.

dvstans avatar Feb 26 '21 18:02 dvstans

The reported issue was already fixed; however, comments above are still valid

dvstans avatar Feb 26 '21 18:02 dvstans

Opinion

Again, I think the annotation feature needs a redesign.

JoshuaSBrown avatar Dec 27 '22 19:12 JoshuaSBrown

Could you open a new issue with your ideas for a new annotation design - I think this issue should be closed.

dvstans avatar Jan 26 '23 14:01 dvstans