Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Users with the role `ROLE_COURSE_ADMIN` can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. For example: ```sh % curl -i -u admin:opencast 'https://example.opencast.org/user-utils/xy.json' -X PUT \ --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D' HTTP/2 201 % curl -i -u xy:f 'https://example.opencast.org/user-utils/ab.json' -X PUT \ --data 'password=f&roles=%5B%22ROLE_COURSE_ADMIN%22%5D' HTTP/2 201 ``` `ROLE_COURSE_ADMIN` is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this role allows user creation. This patch fixes the problem by dropping the default access rules for `ROLE_COURSE_ADMIN`. Users which use and need this custom role can easily configure this specific to their needs. There is no reason to ship this by default.
- Loading branch information