[Dspace-general] unexpected access to administrator powers

[Patricia Galloway]

We have been running a DSpace instance since the spring of 2003, 
upgrading through 1.2. 1.3, and 1.4, and now to 1.5. Early on we managed 
communities by creating  groups to manage them, and assigned Write, 
Delete (originally), Remove, and Add authorizations to groups on 
communities. Which meant that those groups could make subcommunities and 
collections but could do little else. Alas this is apparently no longer 
true. When someone in one of those groups then goes to one of the 
subcommunities and/or collections for which that group has those 
authorizations, that person will see an "Edit" button on the upper 
right. Still okay and what you would expect, but: when the person clicks 
on the edit button, the whole administrator navigation bar opens up on 
the left and is functional, in effect granting the person full 
administrative control through the GUI. I tried setting up a new group 
and set of permissions like this on a community that did not have them, 
and got the same results. Has anyone else seen this? Has this been reported?
Pat Galloway
School of Information
University of Texas at Austin