4.7.0, 5.0, 5.1, 5.2, 5.3, 2014.07, 5.4-dev
When a user/group has multiple roles assigned, and one of the roles has a subtree limitation, section/assign will not consider other (more permissive) roles/policies.
Steps to reproduce:
- Create role 1: section, assign, NewSection( Standard , Media , Restricted )
- Create role 2: section, assign, NewSection( Standard , Media , Restricted )
- Create Folder 'TestFolder' under root, and article 'TestArticle' beneath.
- Create user 'TestUser' under group Editors
- Assign role1 to 'TestUser' with subtree limitation /TestFolder
- Assign role2 to 'TestUser' without limitations.
- Login with 'TestUser'
- Edit 'TestArticle', verify that modifying section works as intended.
- Edit other content outside of the '/TestFolder' path, verify that setting section does not work.
The following will be displayed in error.log:
[ Sep 12 2014 18:23:49 ] [127.0.0.1] : You do not have permissions to assign the section <Media> to the object <OtherArticle>.