diff --git a/pandora/annotation/models.py b/pandora/annotation/models.py index 55cb04f4..1ef3648d 100644 --- a/pandora/annotation/models.py +++ b/pandora/annotation/models.py @@ -39,7 +39,7 @@ class Annotation(models.Model): def editable(self, user): if user.is_authenticated(): - if user.is_staff or \ + if user.get_profile().capability('canEditAnnotations') or \ self.user == user or \ user.groups.filter(id__in=self.groups.all()).count() > 0: return True diff --git a/pandora/annotation/views.py b/pandora/annotation/views.py index ff58c666..512c4acd 100644 --- a/pandora/annotation/views.py +++ b/pandora/annotation/views.py @@ -131,17 +131,19 @@ def addAnnotation(request): item = get_object_or_404_json(Item, itemId=data['item']) - #FIXME: check that layer is a valid layer id - layer = data['layer'] - - annotation = models.Annotation( - item=item, - layer=layer, - user=request.user, - start=float(data['in']), end=float(data['out']), - value=data['value']) - annotation.save() - response = json_response(annotation.json()) + layer_id = data['layer'] + layer = filter(lambda l: l['id'] == layer_id, settings.CONFIG['layers'])[0] + if layer['canAddAnnotations'].get(request.user.get_profile().get_level()): + annotation = models.Annotation( + item=item, + layer=layer_id, + user=request.user, + start=float(data['in']), end=float(data['out']), + value=data['value']) + annotation.save() + response = json_response(annotation.json()) + else: + response = json_response(status=403, text='permission denied') return render_to_json_response(response) actions.register(addAnnotation, cache=False)