From 3fc359b01d225a813edbe465042034b1fd4a1302 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Wed, 20 May 2026 20:09:48 +0200
Subject: [PATCH] fix(transcription): allow ANNOTATE_ALL on block write
 endpoints

TranscriptionBlockController required WRITE_ALL exclusively, blocking
users with only ANNOTATE_ALL from saving, reviewing, or deleting blocks.
All write endpoints now accept {ANNOTATE_ALL, WRITE_ALL}, matching the
pattern already established in AnnotationController and CommentController.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../transcription/TranscriptionBlockController.java  | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/backend/src/main/java/org/raddatz/familienarchiv/document/transcription/TranscriptionBlockController.java b/backend/src/main/java/org/raddatz/familienarchiv/document/transcription/TranscriptionBlockController.java
index 0a2240a4..feb5e378 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/document/transcription/TranscriptionBlockController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/document/transcription/TranscriptionBlockController.java
@@ -43,7 +43,7 @@ public class TranscriptionBlockController {
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public TranscriptionBlock createBlock(
             @PathVariable UUID documentId,
             @Valid @RequestBody CreateTranscriptionBlockDTO dto,
@@ -53,7 +53,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/{blockId}")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public TranscriptionBlock updateBlock(
             @PathVariable UUID documentId,
             @PathVariable UUID blockId,
@@ -65,7 +65,7 @@ public class TranscriptionBlockController {
 
     @DeleteMapping("/{blockId}")
     @ResponseStatus(HttpStatus.NO_CONTENT)
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public void deleteBlock(
             @PathVariable UUID documentId,
             @PathVariable UUID blockId) {
@@ -73,7 +73,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/reorder")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public List<TranscriptionBlock> reorderBlocks(
             @PathVariable UUID documentId,
             @RequestBody ReorderTranscriptionBlocksDTO dto) {
@@ -82,7 +82,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/{blockId}/review")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public TranscriptionBlock reviewBlock(
             @PathVariable UUID documentId,
             @PathVariable UUID blockId,
@@ -92,7 +92,7 @@ public class TranscriptionBlockController {
     }
 
     @PutMapping("/review-all")
-    @RequirePermission(Permission.WRITE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
     public List<TranscriptionBlock> markAllBlocksReviewed(
             @PathVariable UUID documentId,
             Authentication authentication) {