[Bug]: Workspace with apps which were public still has production environment accessible to public

[sondermanish]

Is there an existing issue for this?

• I have searched the existing issues

Description

when only staging permission is provided to a role in a workspace which had a public app. the role is able to access both the environments. The public publicPermissionGroup id is associated with production environment policies.

Description from #33354

I'll start by saying I have been on a call yesterday with your team regarding an issue I had. My workspace got bugged and it had the default "App viewer" role configured, despite no application being public. We have fixed this issue by unassigning this role through mongoDB, but I am filing a bug report, because I believe that there is a serious issue with how the public App Viewer role works.

Because the default "App Viewer" role has access to every application in workspace, and these permissions are assigned to the workspace even if only 1 application in this workspace is public, then:

Any role that gives only staging access to this workspace environments, will also give users production access - this happens through the "App viewer" role.

If we have an environment with several applications, only one of which is shared, it makes no sense that the whole workspace will be treated as public and every application will be affected.

I have confirmed my theory and I have provided reproduction steps:

Steps To Reproduce

1. Create a workspace, and application
2. Make the app public
3. remove the public access from app
4. create a role which only has staging environment access and required app and workspace access
5. assign the role to a newly created user which doesn't have access to the workspace.
6. observe that the user could see production in drop down

Public Sample App

No response

Environment

Production

Severity

Medium (Frustrating UX)

Issue video log

No response

Version

1.21