Although "user" is treated correctly, the "permissions" object is currently written and returned directly from the JSON.
It should also be stripped on create/update, and generated from the user column in populateAnnotation. This is for security reasons; as is the owner of the annotation can e.g. give update and admin rights to anyone.
Version: unspecified
Severity: normal