Hi @asmecher,
I checked ApiTokenDecodingMiddleware.inc.php, which checks the token and throws an exception if there is a problem. For my tests, it was called, it analysed the api token, generated the shorter version of the token that appears in my user object (using json_decode), and returned true.
In lib/pkp/classes/handler/PKPHandler.inc.php, I can see 4 huge Authorization Policies, ContextAccessPolicy, RestrictedSiteAccessPolicy, HttpsPolicy, and UserRolesRequiredPolicy (in which I could unfortunately not find any useful hints) and one User object, which in every case identified the correct user for the apiToken.
In ApiAuthorizationMiddleware.inc.php (next to ApiTokenDecodingMiddleware.inc.php in the directory), the authorization fails with the message:
user.authorization.restrictedSiteAccess
So, this must be the problem. On our site, we have set that only logged in users can view the site (from our Users and Roles, Site Access Options page):
Additional Site and Article Access Restrictions
checked: Users must be registered and log in to view the journal site.
checked: Users must be registered and log in to view open access content.
User Registration
Visitors can register a user account with the journal.
checked: The Journal Manager will register all user accounts. Editors or Section Editors may register user accounts for reviewers.
When I remove the requirements to login, the apiToken works. Juchu! The long search is over. Now I just need to figure out how to log in from my script.
Thanks very much for the patient help!
Best regards,
Paul