Section 5.3 of the Fedora spec states:
"A conforming server MUST advertise the individual resource ACL for every controlled resource in HTTP responses with a rel="acl" link in the Link header, whether or not the ACL exists."
So Fedora needs to always advertise an ACL location the client can PUT to to create an ACL, even if it doesn't exist already.
Peter Eichman's proposed the path: /resource/fcr:acl
As documented in a related, overlapping, and now closed ticket ( https://jira.duraspace.org/browse/FCREPO-2744 ) this ticket will entail removing the use of acl:accessControl in order to create the rel=acl header link.
To complete the issue,
- Every resource with the exception of all resource's ending in /fcr:acl should return a link header as follows: Link: <resource-uri/fcr:acl>; rel="acl"
- The old way of doing things (populating the rel="acl" using the <> acl:accessControl <aclpath> statement), acl validation , and support for specifying an ACL on resource creation, should be removed.