Merge pull request #98 from DeathGun44/MX-222

IOhacker · web-flow · commit 158c19bd3baf · 2026-04-06T11:30:14.000-06:00
MX-222: Fix Self-Service API caches stale RBAC permissions after role updates
diff --git a/src/main/java/org/apache/fineract/selfservice/security/service/TenantAwareJpaPlatformSelfServiceUserDetailsService.java b/src/main/java/org/apache/fineract/selfservice/security/service/TenantAwareJpaPlatformSelfServiceUserDetailsService.java
@@ -21,7 +21,6 @@
 import org.apache.fineract.selfservice.security.domain.PlatformSelfServiceUser;
 import org.apache.fineract.selfservice.security.domain.PlatformSelfServiceUserRepository;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.cache.annotation.Cacheable;
 import org.springframework.dao.DataAccessException;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -38,7 +37,6 @@ public class TenantAwareJpaPlatformSelfServiceUserDetailsService implements Plat
     private PlatformSelfServiceUserRepository platformUserRepository;
 
     @Override
-    @Cacheable(value = "selfServiceUsersByUsername", key = "T(org.apache.fineract.infrastructure.core.service.ThreadLocalContextUtil).getTenant().getTenantIdentifier().concat(#username+'ubu')")
     public UserDetails loadUserByUsername(final String username) throws UsernameNotFoundException, DataAccessException {
 
         // Retrieve active users only
diff --git a/src/test/java/org/apache/fineract/selfservice/security/api/SelfServicePermissionEnforcementIntegrationTest.java b/src/test/java/org/apache/fineract/selfservice/security/api/SelfServicePermissionEnforcementIntegrationTest.java
@@ -137,5 +137,22 @@ void testSavingsProductsRequireReadSavingsProductPermission() throws Exception {
         .get(SelfServiceTestUtils.CONTEXT_PATH + "/api/v1/self/savingsproducts")
         .then()
         .statusCode(200);
+
+    // 7. Revoke READ_SAVINGSPRODUCT to verify the cache does not retain it
+    permissions.put("READ_SAVINGSPRODUCT", false);
+    permissionBody.put("permissions", permissions);
+
+    given(SelfServiceTestUtils.requestSpecWithAuth(getFineractPort(), "mifos", "password"))
+        .body(permissionBody)
+        .put(SelfServiceTestUtils.CONTEXT_PATH + "/api/v1/roles/" + roleId + "/permissions")
+        .then()
+        .statusCode(200);
+
+    // 8. Test the API without the permission: Expect 403 immediately
+    given(SelfServiceTestUtils.requestSpecWithAuth(getFineractPort(), "tomas", "password"))
+        .when()
+        .get(SelfServiceTestUtils.CONTEXT_PATH + "/api/v1/self/savingsproducts")
+        .then()
+        .statusCode(403);
   }
 }
