-
Task
-
Resolution: Unresolved
-
Normal
-
None
-
None
In the first implementation of the interface to modify/remove edit notes, the permissions to change edit notes are computed in the `EditNote` React component rather than in the controllers serving edit notes. This is not a vulnerability as the controller also checks permissions when the form is submitted. But to avoid permissions mismatch in the future, these should be computed in the model to follow the MVC pattern.
Originally discussed at https://github.com/metabrainz/musicbrainz-server/pull/2357#discussion_r1195122233.