You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I guess it's not important, but maybe this hides something else that is. So here it goes.
I discovered that the use case when you auth with the admin Zope user via token, the user have a different set of permissions (not roles) than when it's authenticated via basic auth.
This make any sense for you? I haven't been able to reproduce it with a test. I stumbled into this when trying to change workflow of an item with the admin user via token in an app. It didn't allowed me, because in that context the user lack the Review content permission!
The text was updated successfully, but these errors were encountered:
sneridagh
changed the title
Permission inconsistency when authenticating with (Zope) admin using basic auth and token
Permission inconsistency between authenticating with (Zope) admin using basic auth and token
Dec 5, 2016
The problem is that the admin user is defined in the root acl_users folder but the JWT plugin is installed in the acl_users folder of the Plone site. The user only gets roles from the acl_users folder he got authenticated in. When authenticated by the JWT plugin, the admin user doesn't get any roles from the root acl_users folder.
I think we should remove the support for authenticating users that are not defined in the same acl_users folder as the JWT plugin because it doesn't work properly. This also means that you will no longer be able to authenticate as admin user with a JWT token. A workaround would be to install the JWT plugin in the root acl_users folder. However the current implementation relies on plone.keyring which doesn't work outside of a Plone site.
I guess it's not important, but maybe this hides something else that is. So here it goes.
I discovered that the use case when you auth with the admin Zope user via token, the user have a different set of permissions (not roles) than when it's authenticated via basic auth.
This make any sense for you? I haven't been able to reproduce it with a test. I stumbled into this when trying to change workflow of an item with the admin user via token in an app. It didn't allowed me, because in that context the user lack the Review content permission!
@buchi @lukasgraf @timo any insights?
The text was updated successfully, but these errors were encountered: