Permission inconsistency between authenticating with (Zope) admin using basic auth and token

[sneridagh]

I guess it's not important, but maybe this hides something else that is. So here it goes.

I discovered that the use case when you auth with the admin Zope user via token, the user have a different set of permissions (not roles) than when it's authenticated via basic auth.

This make any sense for you? I haven't been able to reproduce it with a test. I stumbled into this when trying to change workflow of an item with the admin user via token in an app. It didn't allowed me, because in that context the user lack the Review content permission!

@buchi @lukasgraf @timo any insights?

[buchi]

Seems to be the same issue as in #127.

The problem is that the admin user is defined in the root acl_users folder but the JWT plugin is installed in the acl_users folder of the Plone site. The user only gets roles from the acl_users folder he got authenticated in. When authenticated by the JWT plugin, the admin user doesn't get any roles from the root acl_users folder.

I think we should remove the support for authenticating users that are not defined in the same acl_users folder as the JWT plugin because it doesn't work properly. This also means that you will no longer be able to authenticate as admin user with a JWT token. A workaround would be to install the JWT plugin in the root acl_users folder. However the current implementation relies on plone.keyring which doesn't work outside of a Plone site.

[tomgross]

I have seen a security issue in collective.solr which is probably related. collective/collective.solr#150

[tisto]

Will close this issue for #178