summary

RoleController.DeleteRole(RoleInfo role) does not clear user cache

Description

RoleController.DeleteRole(RoleInfo role) does not clear user cache which results in the fact that after deleting a role (in the admin UI) the property UserInfo.Roles is not updated and still contains the deleted role.

How to reproduce:
1) Create a role
2) Add user to role
3) Login as this user and make sure UserController.Instance.GetCurrentUserInfo().Roles contains the new role
4) Delete the role
5) Login as this user and UserController.Instance.GetCurrentUserInfo().Roles still contains the role that was deleted in step 4

Under certain conditions this could be a security problem: If you delete a role and create a role with the same name, the user is not member of this role, but any code that will test against the UserInfo's Role property gets outdated information.

I will create a pull request to fix this problem.

QA Test Plan

None

Activity

Show:

Ken Grierson

September 7, 2014, 2:35 AM

Verified in 7.3.3 build 77
UserController.Instance.GetCurrentUserInfo().Roles NO LONGER contains the role that was deleted in step 4

Bing Wu

July 31, 2014, 5:20 PM

Code review will be done by devs, and QA needs to do some partial regression regarding role deletion, recovery. Be careful with Social as well.

jan_jonas

July 20, 2014, 2:20 PM

I've created a pull request: https://github.com/dnnsoftware/Dnn.Platform/pull/130

Complete

Assignee

Ken Grierson

Reporter

jan_jonas

Story Size

Unknown

Severity

Major

Triage

New

Reported in Build #

None

Fixed in Build

7.3.3.55

Dev Owner

None

Includes Code Fix

Documentation Required

Trouble Ticket

None

Requires More Info

None

QA Story Points

None

QA Owner

None

Injected

None

Automation Required

None

Code Review Owner

None

Components

Admin - Security Roles

Security & Permissions

Fix versions

7.3.3

Affects versions

7.3.1

Priority

High

Configure