fix solr security problem with individual users #20
Description
Steps to Reproduce
(Describe the steps that are necessary to reproduce the problem)
- as admin
- click on search button
- search for an event with a word from its title
- -> actual behavior: the event is not returned
- -> behavior you would expect: the event is returned
Reason
Collective.solr replaces ":" with "$" in roles, but we did not compensate for this in the backend service. As a consequence, when any role is needed involving a username, or roles containing ":" (for example user:user1 or user$AuthenticatedUsers), the concent is not returned for the current user.
It's unlikely that this gives a security attack vector, but it's confirmed that for some users some content is not returned that should be returned.