Expired subjects work as non-expired, in case Ditto fails to delete it

[vvasilevbosch]

In addition to #2233, it seems once Ditto gives up on deleting an expired subject, it remains inside the policy and gets treated like a normal, active subject, with the permissions granted. This is extremely rare condition, but still possible in theory, because the current enforcer implementation only checks if certain permission is granted, ignoring the expiration of subjects.