Unprivileged users can publish events to series they do not have access to

Steps to reproduce

The following applies if PR #74 is merged (fix for ).

Suppose userA does not have read or write access to seriesX.

Steps to reproduce:
1. As userA, initiate the creation of a new event using internal or external APIs.
2. Construct the ACL to include read/write access for userA, and at least read access to those roles attached to seriesX. For metadata, set the value of the 'isPartOf' field to the series id of seriesX.
3. Complete the request.

Actual Results:
userA creates an event available/published to the seriesX catalogue.

Expected Results:
I cannot foresee a valuable use case where userA should be able to attach events to seriesX's catalogue. Therefore, userA should be denied from performing an action as such.

Workaround (if any):
None, as knowledgeable users can alter metadata and ACLs as they wish.

Your pinned fields
Click on the next to a field label to start pinning.




duncan smith