Previously the check for workspaces was done by adding ( isInWorkspace("workspaceA") || isInWorkspace("workspaceB") ) to the generated policy. But isInWorkspace() requires an array of all valid workspaces.
I fixed the issue by generating isInWorkspace(["workspaceA", "workspaceB"]) for the policy. I also always added the "live" workspace to this check as otherwise users with this role won't be able to change anything that is published to live even if they are in one of the restricted workspaces. To restrict a user from publishing to live, simply don't add the (parent) role "LivePublisher".
How to verify it
Login
Create new role
Select workspaces you want to restrict the role to (create a new one if you do not have any except live yet)
Create a new test user and apply the new role to it
See if you can publish to any workspace not selected previously
Checklist
[x] Code follows the PSR-2 coding style
[x] Tests have been created, run and adjusted as needed --> I only tested the change manually
What I did
Previously the check for workspaces was done by adding
( isInWorkspace("workspaceA") || isInWorkspace("workspaceB") )
to the generated policy. ButisInWorkspace()
requires an array of all valid workspaces.I fixed the issue by generating
isInWorkspace(["workspaceA", "workspaceB"])
for the policy. I also always added the "live" workspace to this check as otherwise users with this role won't be able to change anything that is published to live even if they are in one of the restricted workspaces. To restrict a user from publishing to live, simply don't add the (parent) role "LivePublisher".How to verify it
Checklist
This also fixes #34