Series ACL and authorization

[LukasKalbertodt]

What exactly does a series ACL do? Since it has a potentially dual purpose, this is handled inconsistently throughout the community and even Opencast. The two "uses" of series ACL are:

• Inheritance to events: events of the series can use the series' ACL (potentially merged with their own ACL in different ways)
• Controlling access to the series itself

Due to this, there are a few open questions:

• Who can read series metadata?
• Who can add events to a series?
• Who can modify/delete the series?

For reference, Tobira currently allows everyone to read a series metadata, and requires write access in the series ACL for the latter two actions. But that's not handled the same way everywhere. So we should specify this here once and for all.

We could also have two ACLs per series, one for passing down to events, the other one to control itself.

Previous discussions:

• Figure out authorization for series elan-ev/tobira#398

[mtneug]

But that's not handled the same way everywhere.

IIRC search behaves the same way. I guess the External API repects read ACLs.

We could also have two ACLs per series, one for passing down to events, the other one to control itself.

This is confusing. Instead, how about adding more actions?

[LukasKalbertodt]

Instead, how about adding more actions?

What do you suggest?

[mtneug]

I mean ACL actions. Something like ROLE_USER_max: read, write, allow-adding-events, but a better name 😅