Private articles are not found

[tomgross]

Private articles are not found with collective.solr 6.0a1 even if the user has permission to view them.

[tomgross]

It looks like the authenticated user is not taken over to the search restrictions in allowedRolesAndUsers:

 /home/tom/buildout-eggs/Zope2-2.13.24-py2.7.egg/ZServer/PubCore/ZServerPublisher.py(31)__init__()
-> response=b)
  /home/tom/buildout-eggs/Zope2-2.13.24-py2.7.egg/ZPublisher/Publish.py(455)publish_module()
-> environ, debug, request, response)
  /home/tom/buildout-eggs/Zope2-2.13.24-py2.7.egg/ZPublisher/Publish.py(249)publish_module_standard()
-> response = publish(request, module_name, after_list, debug=debug)
  /home/tom/buildout-eggs/Zope2-2.13.24-py2.7.egg/ZPublisher/Publish.py(138)publish()
-> request, bind=1)
  /home/tom/buildout-eggs/Zope2-2.13.24-py2.7.egg/ZPublisher/mapply.py(77)mapply()
-> if debug is not None: return debug(object,args,context)
  /home/tom/buildout-eggs/Zope2-2.13.24-py2.7.egg/ZPublisher/Publish.py(48)call_object()
-> result=apply(object,args) # Type s<cr> to step into published object.
  /home/tom/buildout-eggs/plone.rest-1.0a6-py2.7.egg/plone/rest/service.py(20)__call__()
-> return self.render()
  /home/tom/buildout-eggs/plone.restapi-1.0a5-py2.7.egg/plone/restapi/services/__init__.py(15)render()
-> content = self.reply()
  /home/tom/buildout-eggs/plone.restapi-1.0a5-py2.7.egg/plone/restapi/services/search/get.py(12)reply()
-> return SearchHandler(self.context, self.request).search(query)
  /home/tom/buildout-eggs/plone.restapi-1.0a5-py2.7.egg/plone/restapi/search/handler.py(42)search()
-> lazy_resultset = self.catalog.searchResults(query)
  /home/tom/buildout-eggs/collective.indexing-2.0b1-py2.7.egg/collective/indexing/monkey.py(84)searchResults()
-> return self.__af_old_searchResults(REQUEST, **kw)
> /home/tom/Templates/collective.solr/src/collective/solr/monkey.py(17)searchResults()
-> kw['allowedRolesAndUsers'] = self._listAllowedRolesAndUsers(user)
(Pdb) p user
<SpecialUser 'Anonymous User'>     # Should be the authenticated user

It seems that somehow plone.restapi is in the way somehow...
/cc @tisto mind to have a look

[mauritsvanrees]

For clarity: if you switch off javascript, it works.

Or in other words: when you fill in a search term in the live search and press enter, then on the Solr side you correctly see something like user$admin+OR+Manager+OR+Authenticated+OR+Anonymous in the allowed roles and users search, giving some results. But subsequent calls via javascript/plone.restapi are Anonymous.

This only happens for users defined at the Zope root. It does not matter if you are logged in via Basic Auth or via the Plone login form.
When I create a user in Plone and add him to the Site Administrators, this user finds the private items via Solr just fine, also via js/restapi.

[tisto]

We will work on a solution for the issue in plone.restapi and have it fixed in the next release.