diff --git a/CHANGELOG b/CHANGELOG
index f36d27f5dbf1012e9f8f2f899f02f26fd9e0f556..0562e77dc75ca444e5e32074d87d929e9fe6c3d7 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,148 +1,85 @@
-minerva (14.0.0~beta.2) unstable; urgency=low
+minerva (14.0.0) stable; urgency=medium
+ * Feature removal: BioCompendium annotator removed (#32)
+ * Feature removal: support for tomcat7 removed (#828)
+ * Feature: security layer redesigned - privilege types and scope changed
+ (#636, #624)
+ * Feature: log4j is replaced with log4j2 logging mechanism (#291)
+ * Feature: database installed via debian package is done via dbconfig-commons
+ (#469)
+ * Feature: Replaced connection pool manager C3P0 with better maintained
+ Hikari - restart of postgresql database doesn't require restart of tomcat
+ (#564)
+ * Small improvement: debian package can be installed on debian:buster (#879)
* Small improvement: info window contains information about overlay No (#919)
- * Small improvement: curator without write access to project has info about
- it when editing project (#940)
- * Small improvement: when revoking view access to project, revoke
- automatically write access to it (#920)
- * Bug fix: exported SBML passes online validation (#831)
- * Bug fix: changing owner of data overlay should change order index (#945)
- * Bug fix: allow user to remove own comments (#931)
- * Bug fix: validation of project name length is provided (#950)
- * Bug fix: after reducing privileges on himself interface is refreshed (#948)
- * Bug fix: list of "Copy from" elements in "Select valid annotations" dialog
- is shortened to used bio entity typrd (#911)
- * Bug fix: removing overlays as curator in admin panel fixed (#944)
- * Bug fix: information about deprecated column is more clear about column
- names (#838)
- * Bug fix: version of the project is limited to 20 characters (#951)
- * Bug fix: link to comment on map from admin panel was broken (#941)
- * Bug fix: hide glyphs tab when necessary (#949)
- * Bug fix: user with write access but without can_create_privileges cannot
- create data overlay (#939)
- * Bug fix: export to CD could misalign reaction lines that were imported from
- format that didn't require reaction line to be attached to the species (#933)
- * Bug fix: problem with migration of default privileges (#902)
- * Bug fix: some project privileges were not migrated properly (#902)
- * Bug fix: problem with uploading data_overlays with type included in header
- (#936)
-
- -- Piotr Gawron <piotr.gawron@uni.lu> Mon, 18 Sep 2019 19:00:00 +0200
-
-minerva (14.0.0~beta.1) unstable; urgency=low
- * Bug fix: problem with changing user role (#932)
-
- -- Piotr Gawron <piotr.gawron@uni.lu> Tue, 3 Aug 2019 21:00:00 +0200
-
-
-minerva (14.0.0~beta.0) unstable; urgency=low
* Small improvement: sorting by columns that doesn't make sense in admin
panel is disabled (#895)
* Small improvement: version of minerva is visible in map browser panel
* Small improvement: small info about annotator details is available in
- select anntoators dialog (#923)
+ select annotators dialog (#923)
* Small improvement: CellDesigner layers are always visualized as pathways
(#813)
- * Small improvement: setting "Modify project| checkbox automatically select
- "View project" checkbox when editing privileges (#920)
* Small improvement: notification email uses minerva name and id of affected
project (#926)
* Small improvement: information about person who uploaded project is visible
in list of projects (#927)
- * Small improvement: user role introduced in edit user dialog (#924)
- * Small improvement: tab with list of glyps is available when adding project
+ * Small improvement: tab with list of glyphs is available when adding project
with glyphs (#925)
* Small improvement: BackgroundColor parameter should be assigned using ":"
character (#929)
+ * Small improvement: anonymous login is no longer required - each API query
+ outside session is authorized with anonymous user privileges (#629)
+ * Small improvement: bcrypt is used for password encryption (#387)
+ * Small improvement: caching is active by default for new users when
+ uploading project (#202)
+ * Small improvement: when removing overlay in admin panel there is a
+ confirmation dialog (#696)
+ * Small improvement: overlay name is obligatory (#698)
+ * Small improvement: list of projects in admin panel contains creation date
+ (#447)
+ * Small improvement: links in list of publications open in new tab (#447)
+ * Small improvement: target gene in search panel contains also information
+ about type of database that identifies the target (#66)
+ * Small improvement: redundant 'references' field in gene variants data
+ overlay is now deprecated (#850)
+ * Small improvement: information about deprecated columns in data overlay is
+ visible in overlay list (#838)
+ * Small improvement: publication list is resizeable (#740)
+ * Small improvement: user list on project edit dialog is sortable (#808)
+ * Bug fix: exported SBML passes online validation (#831)
+ * Bug fix: allow user to remove own comments (#931)
+ * Bug fix: validation of project name length is provided (#950)
+ * Bug fix: list of "Copy from" elements in "Select valid annotations" dialog
+ is shortened to used bio entity types (#911)
+ * Bug fix: version of the project is limited to 20 characters (#951)
+ * Bug fix: export to CD could misalign reaction lines that were imported from
+ format that didn't require reaction line to be attached to the species (#933)
+ * Bug fix: problem with uploading data_overlays with type included in header
+ (#936)
* Bug fix: work on FF Private Window mode could cause logout or raise an
error on when opening new tab with minerva (#892)
* Bug fix: fetching list of miRnas resulted sometimes in "Internal Server
Error" (#889)
- * Bug fix: user without admin right can accept terms of service (#893)
* Bug fix: edit project dialog verifies organism id (#914)
- * Bug fix: user without admin or curator privileges shouldn't be able to
- check logs (#894)
- * Bug fix: user without admin or curator privileges had issues with accesing
- and removing data overlays (#897, #898, #899, #903)
- * Bug fix: privilege checking on updating privileges, data overlays were not
- sufficient and could lead to access escalation
- * Bug fix: user without privileges had edit map input options enabled
- * Bug fix: user without privileges had edit map input options for managing
- project users
- * Bug fix: curator couldn't update data overlay in some situations (#905)
- * Bug fix: alignment of tabs fixed for dialogs: "Add Project", "Edit Genome",
- "Edit Project", "Edit User" (#881)
* Bug fix: all colors in boolean reaction (from CellDesigner) are processed
properly (#907)
* Bug fix: proper line type for boolean reaction is used on the whole
reaction (#908)
- * Bug fix: user with modify access to the project can edit it in admin panel
- (#901)
- * Bug fix: creating project with too long name hung (#916)
- * Bug fix: too long user login thrown an error (#915)
- * Bug fix: width of info window adjust to the content size (#903)
+ * Bug fix: creating project with too long name hung upload (#916)
+ * Bug fix: too long user login threw an error (#915)
* Bug fix: when uploading generic data overlay the type was not updated in
case the type was not specified in the input file (#906)
* Bug fix: list of types when copying from annotators contains only types
that are selectable in the dialog (#911)
- * Bug fix: remove of data overlay didn't update numbering of data overlays
- that are still in the system (#918)
* Bug fix: too long name for data overlay in info window is trimmed (#919)
* Bug fix: too long name in general overlay list is wrapped (#857)
* Bug fix: after genome is removed list of genomes is refreshed (#922)
- * Bug fix: when session expired anonymous user could access admin panel with
- very limited access (#928)
- * Bug fix: migrating from old minerva will grant WRITE_PROJECT privilege to
- users who have manage comments or manage overlays privilege (#902)
-
- -- Piotr Gawron <piotr.gawron@uni.lu> Wed, 28 Aug 2019 21:00:00 +0200
-
-minerva (14.0.0~alpha.1) unstable; urgency=low
- * Feature removal: support for tomcat7 removed (#828)
- * Small improvement: debian package can be installed on debian:buster (#879)
* Bug fix: REST API bioEntities:search method didn't limit results to the
submodel id (#860)
* Bug fix: Empty Overlay colours were not preserved during export to
CellDesigner (#714)
- * Bug fix: some project couldn't be accessed due to problem with migration of
- reaction with unknown boolean operator (#880)
* Bug fix: problem with unloading plugin is properly handled (#884)
* Bug fix: upload of invalid plugin doesn't add it to plugin tab and list of
loaded plugins (#885)
- * Bug fix: link to molart was brokwn (#886)
- * Bug fix: context menu visualization fixed
- * Bug fix: problem with uploading projects (#887)
-
- -- Piotr Gawron <piotr.gawron@uni.lu> Mon, 13 Aug 2019 21:00:00 +0200
-
-minerva (14.0.0~alpha.0) unstable; urgency=low
- * Feature: security layer redesigned - privilege types and scope changed
- (#636, #624)
- * Feature: log4j is replaced with log4j2 logging mechanism (#291)
- * Feature: database installed via debian package is done via dbconfig-commons
- (#469)
- * Feature: Replaced connection pool manager C3P0 with better maintained
- Hikari - restart of postgresql database doesn't require restart of tomcat
- (#564)
- * Feature removal: BioCompendium annotator removed (#32)
- * Small improvement: anonymous login is no longer required - each API query
- outside session is authorized with anonymous user privileges (#629)
- * Small improvement: bcrypt is used for password encryption (#387)
- * Small improvement: caching is active by default for new users when
- uploading project (#202)
- * Small improvement: when removing overlay in admin panel there is a
- confirmation dialog (#696)
- * Small improvement: overlay name is obligatory (#698)
- * Small improvement: list of projects in admin panel contains creation date
- (#447)
- * Small improvement: links in list of publications open in new tab (#447)
- * Small improvement: target gene in search panel contains also information
- about type of database that identifies the target (#66)
- * Small improvement: redundant 'references' field in gene variants data
- overlay is now deprecated (#850)
- * Small improvement: information about deprecated columns in data overlay is
- visible in overlay list (#838)
- * Small improvement: publication list is resizeable (#740)
- * Small improvement: user list on project edit dialog is sortable (#808)
* Bug fix: export to CellDesigner of reaction with two modifiers connected
with boolean operator resulted was skipping some layout information
* Bug fix: reaction in SBGNML file containing two products was improperly
@@ -156,7 +93,7 @@ minerva (14.0.0~alpha.0) unstable; urgency=low
* Bug fix: Search drug by target element did not return values when this
element was annotated automatically (#216)
- -- Piotr Gawron <piotr.gawron@uni.lu> Fri, 09 Aug 2019 10:00:00 +0200
+ -- Piotr Gawron <piotr.gawron@uni.lu> Wed, 09 Oct 2019 12:00:00 +0200
minerva (13.2.0) stable; urgency=medium
* Small improvement: MolArt v1.4 is used which provide information from
diff --git a/rest-api/src/main/java/lcsb/mapviewer/api/projects/overlays/OverlayController.java b/rest-api/src/main/java/lcsb/mapviewer/api/projects/overlays/OverlayController.java
index 7cfd280fc1d4f4f8f510f2ee985f8fad9a6b1c0d..51d4b086f373cf0ab409d6a396f8e37cdf27e384 100644
--- a/rest-api/src/main/java/lcsb/mapviewer/api/projects/overlays/OverlayController.java
+++ b/rest-api/src/main/java/lcsb/mapviewer/api/projects/overlays/OverlayController.java
@@ -102,6 +102,7 @@ public class OverlayController extends BaseController {
@PreAuthorize("hasAuthority('IS_ADMIN')" +
" or (hasAuthority('IS_CURATOR') and hasAuthority('WRITE_PROJECT:' + #projectId))" +
+ " or (hasAuthority('IS_CURATOR') and hasAuthority('READ_PROJECT:' + #projectId))" +
" or (hasAuthority('READ_PROJECT:' + #projectId) and hasAuthority('CAN_CREATE_OVERLAYS'))")
@PostMapping(value = "/")
public Map<String, Object> addOverlay(