The following applies if PR #74 is merged (fix for ).
Suppose userA does not have read or write access to seriesX.
Steps to reproduce:
1. As userA, initiate the creation of a new event using internal or external APIs.
2. Construct the ACL to include read/write access for userA, and at least read access to those roles attached to seriesX. For metadata, set the value of the 'isPartOf' field to the series id of seriesX.
3. Complete the request.
userA creates an event available/published to the seriesX catalogue.
I cannot foresee a valuable use case where userA should be able to attach events to seriesX's catalogue. Therefore, userA should be denied from performing an action as such.
Workaround (if any):
None, as knowledgeable users can alter metadata and ACLs as they wish.