Glass v5 caching not respecting Sitecore security

[jeroendegroot]

It seems like the new caching is Glass Mapper v5 is not properly checking permissions set in Sitecore. Sample steps to reproduce:

1. Create a new content item and create a user who does not have read permission to this item
2. Create a template with a link field
3. Create a content item with the template from step 2 and point the link to the item from step 1
4. Create a Glass model for the template from step 2 and put in code to retrieve item with the link e.g. T val = mvcContext.GetDataSourceItem<T>()
5. Load the model from step 4 first with the user who does not have permissions to the link. The link field will be empty, this is expected since user does not have permission
6. Now load the same model with a user who has permissions to the item, the link is still empty, this is not expected as the user has permission to this link.

Changing the code from point 4 to T val = mvcContext.GetDataSourceItem<T>(x => x.CacheDisabled()) resolves this issue.

EDIT: the opposite is also true, Glass will return items to which the user does not have access to if they were requested by an authorized user initially.

[mikeedwards83]

You are right. The cache does basic check on the path and configuration of the model that was requested and returns the cached model to avoid touching the Sitecore database. This means it won't check the Security of the time.

At this time I would recommend turning off caching for models that need security applied.