[CS-12420] REST: anon. user/login needed

[adriendupuis]

Question	Answer
JIRA Ticket	CS-12420
Versions	master, 4.6, 3.3
Edition	All

If Anonymous user haven't the user/login policy with a limitation containing the SiteAccess used for REST, no connection can be established.

For example, on a clean install with the policy removed, a 500 error User 'anon.' doesn't have user/login permission to SiteAccess 'site' will be obtained whatever the ressource, including /user/sessions to try to establish an authentification.

If I now configure a SiteAccess api and give to Anonymous a user/login policy limited to api:

% curl 'http://ddev-ibexa-tmp2.ddev.site:8080/api/ibexa/v2/content/locations/1/2'
<?xml version="1.0" encoding="UTF-8"?>
<ErrorMessage media-type="application/vnd.ibexa.api.ErrorMessage+xml">
 <errorCode>500</errorCode>
 <errorMessage>Internal Server Error</errorMessage>
 <errorDescription>User 'anon.' doesn't have user/login permission to SiteAccess 'site'</errorDescription>
 …

% curl 'http://ddev-ibexa-tmp2.ddev.site:8080/api/ibexa/v2/content/locations/1/2' -H 'X-SiteAccess: api'
<?xml version="1.0" encoding="UTF-8"?>
<Location media-type="application/vnd.ibexa.api.Location+xml" href="/api/ibexa/v2/content/locations/1/2">
 <id>2</id>
  …

The X-SiteAccess header overrides the matched SiteAccess as expected.

I added a caution to the REST API Authentification by association of ideas and because it's where it can be disturbing, anonymous is used for REST request even when authenticated agaist the REST server.

Preview: https://ez-systems-developer-documentation--2505.com.readthedocs.build/en/2505/api/rest_api/rest_api_authentication/

Checklist

• Text renders correctly
• Text has been checked with vale
• Description metadata is up to date
• Redirects cover removed/moved pages
• Code samples are working
• PHP code samples have been fixed with PHP CS fixer
• Added link to this PR in relevant JIRA ticket or code PR