Steps to Reproduce
(Describe the steps that are necessary to reproduce the problem)
- as admin
- click on search button
- search for an event with a word from its title
- -> actual behavior: the event is not returned
- -> behavior you would expect: the event is returned
Reason
Collective.solr replaces ":" with "$" in roles, but we did not compensate for this in the backend service. As a consequence, when any role is needed involving a username, or roles containing ":" (for example user:user1 or user$AuthenticatedUsers), the concent is not returned for the current user.
It's unlikely that this gives a security attack vector, but it's confirmed that for some users some content is not returned that should be returned.
Steps to Reproduce
(Describe the steps that are necessary to reproduce the problem)
Reason
Collective.solr replaces ":" with "$" in roles, but we did not compensate for this in the backend service. As a consequence, when any role is needed involving a username, or roles containing ":" (for example
user:user1oruser$AuthenticatedUsers), the concent is not returned for the current user.It's unlikely that this gives a security attack vector, but it's confirmed that for some users some content is not returned that should be returned.