We're updating the issue view to help you get more done. 

Ingesting without providing an ACL results in a public event

Steps to reproduce

When ingesting something without providing an ACL, the ingest service currently appends a custom Acl (as a series Acl, strangely enough) that grants read access to the anonymous role and in develop also write access to the "global capture agent role".

This is at least surprising (as evidenced by the lengthy thread on the German user list: https://groups.google.com/a/opencast.org/forum/#!topic/anwender/qj94Xqr2Luw, and seeing that other places of the Opencast code base fall back to *another* default), if not a security risk.

You can test this for yourself for example using the ingest scripts found here: https://github.com/opencast/helper-scripts/tree/master/ingest. Note that the "New Event Wizard" in the admin UI *always* attaches an ACL.

Status

Assignee

Julian Kniephoff

Reporter

Julian Kniephoff

Severity

Security

Tags (folksonomy)

None

Components

Fix versions

Affects versions

6.0
5.0
4.0

Priority

Minor