oqtane.framework [BUG] - When a user has a role that has a expiry date that is not Valid (i.e. in the past) it is still authorised for that role

Oqtane Info

Version - 5.1.2 (dev Branch) Render Mode - Static Interactivity - Server Database - SQL Server

Describe the bug

When a user has a role that has a expiry date that is not Valid (i.e. in the past) it is still authorised for that role

Expected Behavior

The user should not be authorised if the user has a role which has expired

Steps To Reproduce

Add a role and set the expiry date to yesterday
Add that role to a user
Add HTML module and set its permission to view and edit to that specific role
Log in as the user assigned that role, and you will still be able to view and edit the HTML Module

Anything else?

May 24 '24 02:05 vnetonline

@vnetonline Good point! However, roles should expire and be removed automatically after their expiry date. We might need a system to identify and handle temporary roles for automatic removal upon expiration.

May 24 '24 09:05 leigh-pointer

Will sync events be good to remove the roles on expiry??

May 24 '24 10:05 vnetonline

Will sync events be good to remove the roles on expiry??

Think that is over use ov the framework, when it could be implemented with a simple remove on expiry flag. I see this being applied before the role is used thus removing the assignment and returning false for authorization.

May 24 '24 12:05 leigh-pointer

Close this as you can use the UserRoleService to validate the effective and expiry date in your own module

May 25 '24 09:05 vnetonline

@sbwalker reopening this issue as I think this should be handled by the framework just like it does for Page

Jun 18 '24 23:06 vnetonline

I will look in to this and raise a PR

Jun 19 '24 09:06 leigh-pointer