Steps to reproduce:
1. Ingest a video, publish it to engage and set the access policy to private (role ROLE_USER_ADMIN has read access).
2. Create a user with role ROLE_USER (as is the case with LTI user)
3. Login as this user (e.g. in Engage UI)
Actual Results: This user can access the ingested video.
Expected Results: This user has no access to the video.
Workaround (if any): none
Problem:
The problem lies in the query that is send to Solr:
`": AND oc_organization:mh_default_org AND (oc_acl_read:ROLE_USER_TEST OR oc_acl_read:ROLE_ANONYMOUS OR oc_acl_read:ROLE_USER) AND -oc_mediatype:Series AND -oc_deleted:[* TO *]"`
Since ROLE_USER is a sub string of ROLE_USER_ADMIN, Solr is returning this entry. A fix would be to store the role always enclose in some sort of symbols (e.g. comma) and require that in the search query.