pkp/pkp-lib#12374 Fix issue preventing users from accepting invitations while logged out

[taslangraham]

For #12374

[asmecher]

This will bypass e.g. HttpsPolicy, which should apply. Could you see if there's another way that doesn't require short-cutting the authorize function? I worry this will have other knock-on effects.

[taslangraham]

@asmecher
Maybe something like the following would suffice.

    // api/v1/_i18n/I18nController.php::authorize()
    public function authorize(PKPRequest $request, array &$args, array $roleAssignments): bool
    {
        $this->addPolicy(new class extends \PKP\security\authorization\AuthorizationPolicy {
            public function effect(): int {
                return self::AUTHORIZATION_PERMIT;
            }
        });
        return parent::authorize($request, $args, $roleAssignments);
    }

This adds an anonymous policy class which grants access to the endpoints, but still allows the authorization checks in the base PKPBaseController class to take effect. What do you think?

If we go with this approach then that anonymous policy could be moved to an actual policy class.

[asmecher]

@taslangraham, that looks promising, but before you go that route -- can you check whether a call to markRoleAssignmentsChecked would be enough? If I remember correctly, the auth code doesn't like it when code is run without an role-checking auth policy, because there's a risk that someone will forget to add the auth policy. This function will let the auth code know that it's not a mistake, we actually do want to run without a policy added.

[taslangraham]

@asmecher

I checked, and the markRoleAssignmentsChecked method alone isn't enough. Based on what you described though, if we go the route I suggested above, then it likely should be updated to also call markRoleAssignmentsChecked.