[Bug]: Workspace with apps which were public still has production environment accessible to public #33357
Labels
Bug
Something isn't working
Datasource Environments
Issues related to datasource environments
Git Pod
Anything related to git sync
Medium
Issues that frustrate users due to poor UX
Multiple Environments
Issues or tasks related to multiple environments
Needs Triaging
Needs attention from maintainers to triage
Production
Is there an existing issue for this?
Description
when only staging permission is provided to a role in a workspace which had a public app. the role is able to access both the environments. The public publicPermissionGroup id is associated with production environment policies.
Description from #33354
I'll start by saying I have been on a call yesterday with your team regarding an issue I had. My workspace got bugged and it had the default "App viewer" role configured, despite no application being public. We have fixed this issue by unassigning this role through mongoDB, but I am filing a bug report, because I believe that there is a serious issue with how the public App Viewer role works.
Because the default "App Viewer" role has access to every application in workspace, and these permissions are assigned to the workspace even if only 1 application in this workspace is public, then:
Any role that gives only staging access to this workspace environments, will also give users production access - this happens through the "App viewer" role.
If we have an environment with several applications, only one of which is shared, it makes no sense that the whole workspace will be treated as public and every application will be affected.
I have confirmed my theory and I have provided reproduction steps:
Steps To Reproduce
Public Sample App
No response
Environment
Production
Severity
Medium (Frustrating UX)
Issue video log
No response
Version
1.21
The text was updated successfully, but these errors were encountered: