Return content after authorized user is deleted/locked

Found in

EPiServer.ContentDeliveryApi 1.0.1

Fixed in

EPiServer.ContentDeliveryApi 2.1.0

Created

Jun 27, 2018

Updated

Oct 30, 2018

State

Closed, Won't Fix


Description

Steps to reproduce:
1. Configure ContentApiOptions settings in code as sample below:

            var contentApiOptions = new ContentApiOptions
            {
                RequiredRole = "RequiredGroup",
                MinimumRoles = "MinimumGroup"
            };

2. Create 2 groups named as above and apply Read right to all content.
3. Create an AuthUser in MinimumGroup
4. Send a POST request to create an access token for AuthUser
5. Delete MinimumGroup and/or AuthUser
6. Send a GET request to get content by using the access token above when it's not yet expired:

{{EPCMSHost}}/api/episerver/v1.0/content/5

Expected:
Returns response code 403 Forbidden.

Actual:
Returns content data.

Note: Fix a similar issue for inactive/locked user.