On a Fedora 4 instance configured to use the role-based authorization delegate, I have added an fcr:accessroles ACL to the collection /bulk13
that sets up "testuser" with just read-only access:
Everything appears fine when I attempt to modify a container resource
under /bulk13 with PUT or POST; the PUT is rejected with a 409 and error
messages referring to insufficient permissions to modify the triples, and
the POST is rejected with a 403.
However, when I send a PATCH request with a SPARQL update query, it
succeeds (returns 204, and the resource gets updated). For example, this
command will add a triple with the predicate dc:title and the object
This is incorrect behavior, since testuser should not be able to modify
any resources under /bulk13, per the fcr:accessroles configuration.
Checking the effective access roles using an admin user, this is what I get:
HTTP/1.1 200 OK