Return content after authorized user is deleted/locked

Found in

EPiServer.ContentDeliveryApi 1.0.1

Fixed in

EPiServer.ContentDeliveryApi 2.1.0


Jun 27, 2018


Oct 30, 2018


Closed, Won't Fix


Steps to reproduce:
1. Configure ContentApiOptions settings in code as sample below:

            var contentApiOptions = new ContentApiOptions
                RequiredRole = "RequiredGroup",
                MinimumRoles = "MinimumGroup"

2. Create 2 groups named as above and apply Read right to all content.
3. Create an AuthUser in MinimumGroup
4. Send a POST request to create an access token for AuthUser
5. Delete MinimumGroup and/or AuthUser
6. Send a GET request to get content by using the access token above when it's not yet expired:


Returns response code 403 Forbidden.

Returns content data.

Note: Fix a similar issue for inactive/locked user.