ContentSearchExtensions.FilterOnReadAccess seems to work only with virtual roles, i.e. with roles like Administrator, CmsAdmin and CmsEditor. But not with user roles like WebEditors, WebAdmis and your own domain specific user roles.
For example, I've allowed the access only for WebEditors and Administrators. When I login with a local Windows Administrator account, I'll get the correct results (because the account is mapped to Administrators virtual role). But if I login with a WebEditor-account the result is filtered by FilterOnReadAccess, though the user has the required privileges. Furthermore, if I grant access to CmsEditors virtual role then the page is found with WebEditors account too (because WebEditors role is mapped to virtual role CmsEditors).
I've update the latest nugets and the problem still persist in two different projects. I think access rights are one the most important features in a search service, so if this occures with others too, Episerver should fix it asap.
The method uses uses VirtualRoleRepository which, unlike documented, includes only virtual roles!
More specific details: method ContentSearchExtensions.GetCurrentUsersRoles is responsible for getting current user's roles. It uses VirtualRoleRepository, and only returns virtual roles. The method is private, but it's easy to confirm this using reflection.
The current implementation is against documented behaviour, and counter intuitive too, so this most certainly is a bug. I'll create a bug report and let's see how that goes.
Just letting you know we received your ticket/bug report. What version of Find do you have currently installed?
I'm using EPiServer.Find 188.8.131.529 with EPiServer.CMS.Core 7.19.2.
Btw. I found out that if I add existing roles as mapped virtual roles, then the access check works. But I'm not sure if this causes unwanted side effects due to name conflicts. For example, in EPiServerFramework.config add virtual role providers:
<add name="WebEditors" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebEditors" mode="Any" /> <add name="WebAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins" mode="Any" />
Really useful Jounl, thanks, I've been pulling my hair trying to work out what was going on! Just to add that the issue also affects FilterForVisitor(), which I assume uses FilterOnreadAccess(). The filter seems to work OK without the workaround for unified search queries, I think it only comes into play with GetContentResult().