Steps to reproduce:
1. Create a user "test" and give it all UI roles
2. Add an event with that user and take away its write access in the "Add Event" dialog. Hence, create the following ACL:
ROLE_ADMIN read, write
ROLE_USER_TEST read
Note: the admin user is added because the UI requires at least one user with write access (it doesn't really matter which user).
3. Start the workflow (e.g. fast-ng)
Actual Results:
The workflow fails (it doesn't really matter which workflow is used) at the publish-engage WOH. The error log says
org.opencastproject.serviceregistry.api.ServiceRegistryException: Error handling operation 'Add'
at org.opencastproject.search.impl.SearchServiceImpl.process(SearchServiceImpl.java:617)
at org.opencastproject.job.api.AbstractJobProducer$JobRunner.call(AbstractJobProducer.java:281)
at org.opencastproject.job.api.AbstractJobProducer$JobRunner.call(AbstractJobProducer.java:240)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.opencastproject.security.api.UnauthorizedException: test:mh_default_org:opencast can not take action 'write'
at org.opencastproject.search.impl.SearchServiceImpl.addSynchronously(SearchServiceImpl.java:366)
at org.opencastproject.search.impl.SearchServiceImpl.process(SearchServiceImpl.java:603)
... 6 more
Expected Results:
The user should not be able to start the workflow without having the necessary rights (write-access) to it
Workaround (if any):
-