Fix Version/s: None
Component/s: Islandora Module (Core)
Content models are treated no differently from objects, and their pages and management interface are the same. Furthermore, any user with the "Manage Islandora objects" permission can also manage (and delete) content models.
This can lead to accidents, such as a user with permission to manage repository objects attempting to delete a collection, and accidentally deleting the Collection Content Model. (This happened yesterday to http://arcabc.ca.)
While this kind of accident can be prevented (by applying a XACML policy to each individual CModel object), Islandora administrators would not expect that they need to do this - and such policies should exist out of the box.
Suggesting finer-grained Drupal permissions, to determine which roles may modify objects that have the Content Model content model.