Itemtemplate Forbiden error for a collection's administrator

[paulo-graca]

Describe the bug
If a collection administrator (that isn't administrator) tries to edit an item template on a collection, it will get an "Access is denied" message.

To Reproduce
Steps to reproduce the behavior:

1. With DSpace 7.5
2. Firstly have an colletion's item template created.
3. Associate a user (without administrator permissions) as collection Admin
4. Log in as that collection's admin user
5. Try to edit the item template that is associated with the colletion and save
6. You will obtain "Access is denied" error message

Expected behavior
The collection's admin user should be able to edit the associated item template.

Other details
DSpace log error message:

2023-05-08 09:38:40,899 INFO  c929504a-9345-4c7f-8df6-8eb0608ac5f3 604707f6-5f51-4938-9bb7-20bdaee695c2 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [PATCH /server/api/core/itemtemplates/66fea90e-bcab-47e2-bc8c-6e9ad49770ee] originated from /collections/6f403972-e021-4a49-930d-1c26ae77b2d7/itemtemplate
2023-05-08 09:38:40,902 WARN  c929504a-9345-4c7f-8df6-8eb0608ac5f3 604707f6-5f51-4938-9bb7-20bdaee695c2 org.dspace.app.rest.exception.DSpaceApiExceptionControllerAdvice @ Access is denied (status:403 exception: Acesso negado at: org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73))

Request Header:

PATCH /server/api/core/itemtemplates/66fea90e-bcab-47e2-bc8c-6e9ad49770ee HTTP/1.1
Host: MYHOST
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: application/json, text/plain, */*
Accept-Language: pt-PT;q=1,pt-PT;q=0.1,pt;q=0.09,en;q=0.08,en-US;q=0.06999999999999999
Accept-Encoding: gzip, deflate, br
Content-Type: application/json; charset=utf-8
authorization: Bearer API_TOKEN
X-XSRF-TOKEN: TOKEN
X-CORRELATION-ID: TOKEN
X-REFERRER: /collections/6f403972-e021-4a49-930d-1c26ae77b2d7/itemtemplate
Content-Length: 111
Origin: https://MYHOST
Connection: keep-alive
Referer: https://MYHOST/collections/6f403972-e021-4a49-930d-1c26ae77b2d7/itemtemplate
Cookie: MyHalBrowserCsrfToken=TOKEN; MyHalBrowserToken=TOKEN; DSPACE-XSRF-COOKIE=TOKEN; __utma=22998072.384116241.1650527823.1682089104.1683019282.122; __utmz=22998072.1681464712.115.6.utmcsr=statics.teams.cdn.office.net|utmccn=(referral)|utmcmd=referral|utmcct=/; _ga=GA1.1.384116241.1650527823; klaro-anonymous=%7B%22authentication%22%3Atrue%2C%22preferences%22%3Atrue%2C%22acknowledgement%22%3Atrue%7D; _ga_...
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Request:

[{"op":"add","path":"/metadata/dc.contributor.author/-","value":{"value":"Graça, Paulo","language":null}}]

Response:

{"timestamp":"2023-05-08T09:39:38.965+00:00","status":403,"error":"Forbidden","message":"Access is denied","path":"/server/api/core/itemtemplates/66fea90e-bcab-47e2-bc8c-6e9ad49770ee"}

[buithaihai]

DLCorp would like to claim this issue, seeing that no one has. Estimated time is 4 hours.

[tdonohue]

@buithaihai : Thanks! Please be aware that, if you'd like this to be included in 7.6, we'd need a very quick fix. All code going into 7.6 needs to be fully reviewed/merged if possible by June 9.

[buithaihai]

Understood, I will try my best.