Currently, the DSpaceRestRepository class provides a few very basic "createAndReturn()" methods for the creation of new objects (via POST request).
The one with the most parameters simply takes in a Context object: https://github.com/DSpace/DSpace/blob/master/dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/DSpaceRestRepository.java#L287
Unfortunately, this lack of method parameters makes using Spring Security Annotations (like @PreAuthorize) difficult. Here's how these annotations are expected to be used (on PUT/DELETE/GET methods): https://wiki.duraspace.org/display/DSPACE/REST+Authorization
Some DSpace objects require that you have ADD permissions on a parent object in order to create a child object.
For example, creating a Collection requires ADD Permissions on the parent Community. Ideally, in this example, we should be able check those permissions (in CollectionRestRepository.createAndReturn()) via an annotation like:
@PreAuthorize("hasPermission(#id, 'COMMUNITY', 'ADD')")
However, as the createAndReturn(context) method doesn't take in the Parent Community ID, this annotation will not function properly. Currently, we manually extract the parent ID from the request parameters (on querystring) within the createAndReturn(context) method.
We should either refactor createAndReturn() to allow for a version that takes in a Parent ID parameter or find a way to leverage Spring Security to pull this Parent ID parameter from the querystring. That way we can update @PreAuthorize to properly check for permissions on the parent object.
Flagging this as a Blocker as it involves REST API security.