Description of problem:
I have a repository with access restricted to certain roles. A user, who has none of these roles, has no access to this repository. However, the user can search for assets including assets in this repository and then can view them and even modify them.

Version-Release number of selected component (if applicable):
JBoss BRMS 6.0.3 (but the same problem applies also to Drools 6.2)

How reproducible:
See steps below.

Steps to Reproduce:
1. Use kie-config-cli to create repository repository1 and grant access to this repository to role role1. Use list-repo command to verify, that the setup is as follows:

list-repo
Result:
Currently available repositories:
Repository repository1
scheme: git
uri: git://repository1
environment:

roles: [role1]

2. Create user analyst (e.g. using add-user script in JBoss EAP) and grant him role analyst.
3. Log in to business central as some administrator and create a project with some assets in the repository1 repository.
4. Log out from business central and log in as analyst.
5. When you click Authoring -> Project authoring, the user cannot access the repository1 repository. This is OK.
6. Now click Find and in the search form specify some date in the past as Last modified after.
7. Click Search.
8. All the assets of the repository1 repository are shown, you can view them and modify them. This is incorrect, because the user analyst should have no access to the repository1 repository.

Actual results:
User can access assets in a repository, which he has no privileges for.

Expected results:
Access to the assets in that repository should be denied.

Additional info:
The same problem applies to the latest version of Drools (i.e. Drools 6.2) as well.