From d3c18a58594d662bfcfdd81f383e0a587394003c Mon Sep 17 00:00:00 2001 From: Will Thompson Date: Tue, 14 Jul 2015 10:48:05 +0200 Subject: [PATCH] editAnnotation: explicitly refuse to change layer, fixes #2818 --- pandora/annotation/views.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pandora/annotation/views.py b/pandora/annotation/views.py index 1ce342d3..f11cc143 100644 --- a/pandora/annotation/views.py +++ b/pandora/annotation/views.py @@ -278,6 +278,9 @@ def editAnnotation(request, data): a = get_object_or_404_json(models.Annotation, public_id=data['id']) if a.editable(request.user): layer = get_by_id(settings.CONFIG['layers'], a.layer) + if 'layer' in data and data['layer'] != a.layer: + response = json_response(status=400, text='cannot change annotation layer') + return render_to_json_response(response) for key in ('value', 'in', 'out'): if key in data: if key == 'value' and layer['type'] == 'entity':