RoleController.DeleteRole(RoleInfo role) does not clear user cache which results in the fact that after deleting a role (in the admin UI) the property UserInfo.Roles is not updated and still contains the deleted role.
How to reproduce:
1) Create a role
2) Add user to role
3) Login as this user and make sure UserController.Instance.GetCurrentUserInfo().Roles contains the new role
4) Delete the role
5) Login as this user and UserController.Instance.GetCurrentUserInfo().Roles still contains the role that was deleted in step 4
Under certain conditions this could be a security problem: If you delete a role and create a role with the same name, the user is not member of this role, but any code that will test against the UserInfo's Role property gets outdated information.
I will create a pull request to fix this problem.
I've created a pull request: https://github.com/dnnsoftware/Dnn.Platform/pull/130
Code review will be done by devs, and QA needs to do some partial regression regarding role deletion, recovery. Be careful with Social as well.
Verified in 7.3.3 build 77
UserController.Instance.GetCurrentUserInfo().Roles NO LONGER contains the role that was deleted in step 4