Problem/Motivation
I have an OAuth client setup with a default user configured in the client and selected role based scopes configured for client_credentials type authentication. I can authenticate successfully against /oauth/token with grant_type=client_credentials and scope=administrator but attempts to get revisions from jsonapi (resourceVersion=rel:workingCopy) fail with an error message:
The current user is not allowed to GET the selected resource. The user does not have access to the requested version. The 'access content' permission is required.
I was able to track this down to the TokenAuthUser::hasPermission callback which firstly executes this code:
if ($this->token->get('auth_user_id')->isEmpty()) {
return $this->token->hasPermission($permission);
}
My client has a default user which is loaded in the 'subject' property of TokenAuthUser. However, it appears absent in the token since the isEmpty call returns true. So this if condition evaluates to true and the hasPermission check on the token returns false even though the token used a role scope that had the appropriate permission.
On a side note, when I attemt the jsonapi call anonymously, I get a different error message which tells me the TokenAuthUser does have an impact on the permissions system. Just not the one I was expecting.
I commented out the above code out in TokenAuthUser::hasPermission but then got another error since the return condition require both token and user objects to have the same permission:
return $this->token->hasPermission($permission) && $this->subject->hasPermission($permission);
Instead I changed the && to an ||:
return $this->token->hasPermission($permission) || $this->subject->hasPermission($permission);
After this, API calls began working as I was expecting.
Is there something wrong that I'm doing here or is there a bug in AuthTokenUser?
The expected behaviour I have is that using this token interacts with the site like the default user specified or the roles defined by dynamic scopes.