We allow ' character in JCR user nodes.
So we need to escape properly the user name, as it us used in queries to fetch the user in:
info.magnolia.cms.security.RepositoryBackedSecurityManager.findPrincipalNodeByQuery(String, Session, String, Node)
Especially for public users (and when having Scottish users) the ' character is used a lot and needed.
Here with a test user named "test'test".
Or the bold part will be interpreted as query:
...name() = 'test'test' and isdescendantnode...
I added a patch with an escape method used for the user name.
Maybe one sees more cases to escape.
Group names can't have ' characters, so I'm not escaping the groupname.