Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 7.0
-
Fix Version/s: 7.0
-
Component/s: REST API v7
-
Labels:
-
Attachments:
-
Comments:2
-
Documentation Status:Needed
Description
With the new DSpace 7 REST API, a submitter is no longer restricted to editing metadata fields from the submission forms, if they use the /api/core/items endpoint.
It's easy to modify any metadata field, e.g. using:
```
curl -D - -X PATCH 'http://localhost:8080/rest/api/core/items/517f13ab-3105-42d3-bf55-271876fb726e' -H "Authorization: $authorization" -H "content-type: application/json" --data '[ { "op": "add", "path": "/metadata/dc.description.provenance", "value": [
] } ]'
```
This is accessible because the user has WRITE permissions on the item
The same action can be performed by workflow members for their tasks