Return content data with no access right for default group "contentapiread"

Found in

EPiServer.ContentDeliveryApi 1.0.1

Fixed in

EPiServer.ContentDeliveryApi 2.1.0

Created

Jul 11, 2018

Updated

Oct 30, 2018

State

Closed, Fixed and tested


Description

Steps to reproduce

Precondition: Keep default settings in the ConfigurationService class that RequiredRole & MinimumRoles settings are set to VirtualContentApiRole as "contentapiread".

1. Create a new group named WebAdmins or WebEditors or "contentapiread".
2. Create new user in the group.
3. Do not add virtual role mapping to the group.
4. Set access rights for a page (e.g.: Start): Read right for the "Everyone" virtual role, but no rights for the created user and group.
5. Create an access token for the user.
6. Send a request to get content:

{{EPCMSHost}}/api/episerver/v1.0/content/5

Expected:
Returns error code 403 Forbidden because RequiredRole is limited to "contentapiread" but not others.

Actual:
Returns code 200 with content data.