We're updating the issue view to help you get more done. 

Unprivileged users can publish events to series they do not have access to

Steps to reproduce

The following applies if PR #74 is merged (fix for ).

Suppose userA does not have read or write access to seriesX.

Steps to reproduce:
1. As userA, initiate the creation of a new event using internal or external APIs.
2. Construct the ACL to include read/write access for userA, and at least read access to those roles attached to seriesX. For metadata, set the value of the 'isPartOf' field to the series id of seriesX.
3. Complete the request.

Actual Results:
userA creates an event available/published to the seriesX catalogue.

Expected Results:
I cannot foresee a valuable use case where userA should be able to attach events to seriesX's catalogue. Therefore, userA should be denied from performing an action as such.

Workaround (if any):
None, as knowledgeable users can alter metadata and ACLs as they wish.

Status

Assignee

Unassigned

Reporter

Duncan Smith

Severity

Security

Tags (folksonomy)

None

Components

Fix versions

Affects versions

4.0

Priority

Minor