When using multiple StateGroup limitations in one policy they combine using the "or" relationship instead of the "and" one. This means only one of these limitations must apply in order for the policy to work. Other limitations combine using the "and" relationship. Also, quoting the documentation (https://doc.ez.no/display/DEVELOPER/Repository#Repository-Overview): "Note that Policies on one Role are connected with the and relation, not or, so when Policy has more than one Limitation, all of them have to apply".
Steps to reproduce:
- Create fresh eZ Publish 5.4.10 installation.
- Create two object states groups with two object states each:
- In the backoffice, go to Setup/States tab.
- Create two object states groups there, named for example "group_one" and "group_two".
- In "group_one" create two object states, named for example "group_one_state_one" and "group_one_state_two".
- In "group_two" create two object states, named for example "group_two_state_one" and "group_two_state_two".
- Create a new Content object and change one of its Content States:
- In the backoffice go to the "Content structure" tab.
- Create new Article as the Subitem of the "Home" Content Object and name it "Test". Publish it.
- For the "Test" Content Object, in the "Details" tab, change the Content States so that it has "group_one_state_one" and "group_two_state_two" Content States set, respectively.
- Add two limitations for content read policy for Anonymous, where only one is applying for "Test" Content Object:
- In the backoffice go to the User accounts/Roles and policies tab. Edit Anonymous role.
- Edit the "content - read - Section" policy there.
- Set "group_one_state_one" under the "StateGroup_group_one" and "group_two_state_one" under the "StateGroup_group_two". Notice that only one of these limitations will apply for the "Test" Content Object. Click "OK" and then "Save".
- Logout from the backoffice.
- Go to your frontoffice, to your-site.dev/Test. Notice that you have access despite being Anonymous. Correct behaviour: you should have been redirected to the "login" page.