fix: allow WRITE_ALL users to create and delete annotations

@RequirePermission on POST and DELETE annotation endpoints previously only listed ANNOTATE_ALL. Users with WRITE_ALL (but not ANNOTATE_ALL) received 403. A user who can write documents should also be able to annotate them — both permissions now accepted on both methods. Also updates canAnnotate in +layout.server.ts to match, so the UI correctly reflects annotation capability for WRITE_ALL users. Tests: AnnotationControllerTest (+2 RED→GREEN). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-28 15:42:26 +01:00
parent 4ff87b035e
commit affee407ef
2 changed files with 25 additions and 2 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/controller/AnnotationController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/controller/AnnotationController.java
@@ -35,7 +35,7 @@ public class AnnotationController {

    @PostMapping
    @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.ANNOTATE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
    public DocumentAnnotation createAnnotation(
            @PathVariable UUID documentId,
            @RequestBody CreateAnnotationDTO dto,
@@ -47,7 +47,7 @@ public class AnnotationController {

    @DeleteMapping("/{annotationId}")
    @ResponseStatus(HttpStatus.NO_CONTENT)
-    @RequirePermission(Permission.ANNOTATE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
    public void deleteAnnotation(
            @PathVariable UUID documentId,
            @PathVariable UUID annotationId,