Rest endpoints should not allow malformed series acl
Steps to reproduce
The following rest endpoints should not allow ACLs where roles are missing:
Series service (/series)
External API (/api/series)
Admin UI Facade (/admin-ng/series)
Without looking at the code, you probably are right
Note that we won't work on this issue due priorities so if you have some time to address it, please go ahead.
Good question. I haven't looked this very much so far since this is work sponsored by SWITCH and they have other priorities right now, but it's still definitely on the to-do-list. It's possible that api/series validates acl, but at least one of the other rest endpoints does not (or not sufficiently), which is why they ended up with series with broken ACLs. (I saw your pullrequests regarding the UI issues btw, so at least that's fixed now, yay!)
The goal should definitely be to have one place that validates ACLs consistently, and use that in all the endpoints that accept ACL. It looks like you found some code duplication/overlap there, I'm gonna look into this as soon as I pick this back up...
As far as I understand the code, /api/series should validate (series) ACLs (see org.opencastproject.external.util.AclUtils#deserializeJsonToAcl). For me this begs the question why this logic is different from org.opencastproject.security.api.AccessControlParser and why there even is a second implementation. Can't we just merge the two classes?