Add CanEditAnnotation permission

backend/api/permissions.py

@@ -47,6 +47,20 @@ class IsOwnAnnotation(ProjectMixin, BasePermission):
         return annotation.exists()
 
 
+class CanEditAnnotation(ProjectMixin, BasePermission):
+
+    def __init__(self, queryset):
+        super().__init__()
+        self.queryset = queryset
+
+    def has_permission(self, request, view):
+        if request.user.is_superuser:
+            return True
+
+        annotation_id = view.kwargs.get('annotation_id')
+        return self.queryset.filter(id=annotation_id, user=request.user).exists()
+
+
 class IsOwnComment(ProjectMixin, BasePermission):
     @classmethod
     def has_object_permission(cls, request, view, obj):

backend/api/views/tasks/base.py

@@ -1,3 +1,5 @@
+from functools import partial
+
 from django.core.exceptions import ValidationError
 from django.shortcuts import get_object_or_404
 from rest_framework import generics, status
@@ -5,7 +7,7 @@ from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 
 from ...models import Project
-from ...permissions import IsInProjectOrAdmin, IsOwnAnnotation
+from ...permissions import CanEditAnnotation, IsInProjectOrAdmin
 
 
 class BaseListAPI(generics.ListCreateAPIView):
@@ -53,5 +55,7 @@ class BaseDetailAPI(generics.RetrieveUpdateDestroyAPIView):
         if self.project.collaborative_annotation:
             self.permission_classes = [IsAuthenticated & IsInProjectOrAdmin]
         else:
-            self.permission_classes = [IsAuthenticated & IsInProjectOrAdmin & IsOwnAnnotation]
+            self.permission_classes = [
+                IsAuthenticated & IsInProjectOrAdmin & partial(CanEditAnnotation, self.queryset)
+            ]
         return super().get_permissions()