"Add Event" dialog allows users to take away their own write-access -> upload fails

Steps to reproduce:

1. Create a user "test" and give it all UI roles
2. Add an event with that user and take away its write access in the "Add Event" dialog. Hence, create the following ACL:
ROLE_ADMIN read, write
ROLE_USER_TEST read

Note: the admin user is added because the UI requires at least one user with write access (it doesn't really matter which user).

3. Start the workflow (e.g. fast-ng)

Actual Results:

The workflow fails (it doesn't really matter which workflow is used) at the publish-engage WOH. The error log says

org.opencastproject.serviceregistry.api.ServiceRegistryException: Error handling operation 'Add'
at org.opencastproject.search.impl.SearchServiceImpl.process(SearchServiceImpl.java:617)
at org.opencastproject.job.api.AbstractJobProducer$JobRunner.call(AbstractJobProducer.java:281)
at org.opencastproject.job.api.AbstractJobProducer$JobRunner.call(AbstractJobProducer.java:240)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.opencastproject.security.api.UnauthorizedException: test:mh_default_org:opencast can not take action 'write'
at org.opencastproject.search.impl.SearchServiceImpl.addSynchronously(SearchServiceImpl.java:366)
at org.opencastproject.search.impl.SearchServiceImpl.process(SearchServiceImpl.java:603)
... 6 more

Expected Results:

The user should not be able to start the workflow without having the necessary rights (write-access) to it

Workaround (if any):
-