OK, progress: after some further digging, I’ve discovered this “key” is a secure access key, providing password-less login to anyone with that link: Not asking for credentials when accessing from mail notification - #2 by asmecher.
That post provides a hint on how to disable it; I’ve done so by deselecting the “One Click Reviewer Access” in the Workflow > Review settings.
That effectively removes the “key” parameter from the generated {$reviewAssignmentUrl}.
Yet, the question remains: if “key” is causing an error ingetAuthorizedContextObject(), what is wrong?
- a bug in the OJS/PKP code
- something in the configuration setting that might generate a wrong key value