fix : add repository ownership check to GET /api/annotations endpoint

[tmdeveloper007]

Fixes #2353

Summary

The GET /api/annotations?repositoryId=<id> endpoint required authentication but performed no repository ownership check. Any authenticated user could read the map annotations for any repository by simply providing its repositoryId.

Changes

• app/api/annotations/route.ts: Added enforceRepositoryPermission(request, repositoryId, read) call before querying mapAnnotation records. Returns 404 (not 403) when access is denied to avoid leaking repository existence to unauthorized users.

Security Impact

Closes an Insecure Direct Object Reference (IDOR) vulnerability. Users can no longer access annotations for repositories they do not own or have been granted access to.

[vercel]

@tmdeveloper007 is attempting to deploy a commit to the Nisshchaya's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Warning

Review limit reached

@tmdeveloper007, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 21 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1f722c47-2f1d-46f4-9e8f-d1614ac9200c

📥 Commits

Reviewing files that changed from the base of the PR and between d53ee6b and 7994ad7.

📒 Files selected for processing (1)

• app/api/annotations/route.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎉 Thanks for your contribution, @tmdeveloper007!

Your PR has passed our automated GSSoC quality checks. Here's a quick summary:

Check	Status
PR description	✅ Provided
PR title	✅ Meaningful
Linked issue	✅ Found
Change size	✅ Looks good (18 lines across 1 file(s))

A maintainer will review your PR soon. Please be patient and available for feedback. 💪

GSSoC'26 automation · Maintainer: @nisshchayarathi

[tmdeveloper007]

CI status: Build, Type Check, Lint, CodeQL, GSSoC checks all green. Note: Unit Tests job reports a pre-existing failure in app/api/auth/sessions/tests/route.test.ts due to a Jest/ESM module compatibility issue (jose/dist/browser/index.js). This failure exists on the upstream main branch and is unrelated to this PR. Ready for merge.