Affects Version/s: 6.2.X EE, 7.0.1 CE GA2
There appears to be a permission caching issue related to a few of the APIs in the RoleLocalServiceUtil. The client is applying a regular role to a user as part of a workflow process but the effect is not immediately apparent. Applying the same role via the Users and Orgs UI works immediately.
Clearing the cache via Server Administration ("Clear content cached across the cluster") will resolve the issue and demonstrates this is a caching problem.
Furthermore, RoleLocalServiceUtil.addUserRole(long userId, long roleIds) includes code to reindex the user as well as call PermissionCacheUtil.clearCache(userId) but that is missing from addUserRole(long userId, long roleId). It appears there are a handful of generated methods in the RoleLocalService that may not be clearing the user cache correctly.
1. Set up a regular Role, "TestRole" (you must give it this name for the script to work in step 5).
2. Create a page and add a content item with permissions set so that only the TestRole has VIEW permission.
3. Create a user, "TestUser" (you must give it this name for the script to work in step 5), who does not have the TestRole at first.
4. Verify that the user cannot see the content item on that page.
5. Run the attached groovy script via the Server Administration Script tab to apply the role to the user.
6. Check the test page again.
Expected Result: The user can now see the protected content item.
Actual Results: The user still cannot see the item.