Changing role's permissions requires application server restart

I’m experiencing the following issue when calling services via REST API:

  • I defined a service method that returns an Entity instance
  • When the method is called via REST API, the security attributes are checked against the returned entity (see RestControllerUtils#applyAttributesSecurity method, called by ServicesControllerManager#_invokeServiceMethod)
  • I realized that I missed to define appropriate permissions for a user’s role
  • I log in as an admin on the web interface, and change role’s permissions accordingly
  • Then I try to obtain a new auth token for the user via REST API, and call that service method

What I expect:
Being able to see the correct result (an entity with all the attributes I allowed in the role)

What happens now:
The same “empty” entity is returned, until I hard reload the application server


Just created a small project based on platform 6.6.4 and tried to reproduce the steps:

1.I created a service that returns a list of entities
2. I create a role that hides one attribute of this entity
3. I obtained a token for the user with this role and invoked the service - the result doesn’t contain a hidden attribute
4. I logged in as admin and changed the role - now it forbids nothing
5. Without restarting the server I obtained new token for the user
6. After I invoke the service the result had all fields

So, for me everything worked.

If you did anything in a different way please explain. Or attach a small project with detailed staeps how to reproduce the problem.