Comment 4 for bug 1125637

Yes, but the real security issue is on the enforcement side, which is based on policy. Dropping the Role does not drop the policy enforcement, which is usually of the form "user need the role R on Project Pin order to execute the method M that affect project P" so just dropping the role is not sufficient to revoke that role from all users, and will have not effect on the overall system. It is surprising, but not necessarily a security bug. Still worth fixing and probably back porting the fix.