Reported in the code review process of this PR: https://github.com/DSpace/DSpace/pull/2291#pullrequestreview-202680789
As noted in those comments, if you perform a PUT request to "metadatafield" or "metadataschema" as an unprivileged user (an EPerson without correct permissions), a 404 response is returned.
The expectation is a 403 Forbidden response should be returned.
You can test with the Atmire's database - https://www.dropbox.com/s/ovqp394y3vofnwa/entities7-test-db.sql.gz?dl=1
And with a user that doesn't have any record on epersongroup2eperson, like atmirenv+write5a@g****.com.
Trying this PUT http://localhost/spring-rest/api/core/metadataschemas/1
I've got an 404 error, please check out my apache log:
`SERVER - - [11/Feb/2019:15:14:37 +0000] "PUT /spring-rest/api/core/metadataschemas/1 HTTP/1.1" 404 949 "http://localhost/admin/registries/metadata/eperson?pageId=registry-metadatafields-pagination&page=1&pageSize=25&sortDirection=ASC&sortField=id" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"`