The customer observed error with "Content / Manage locations" policy. Editors are able to remove content which wasn't created by them or are in the wrong state even though the mentioned policy is under following limitations:
State: Lock: Locked
Steps to reproduce:
1. Create a new role and add the policies which are presented on attached screenshots.
2. Add the following limitations to "Content / Manage locations" policy : State: Lock: Locked, Owner: Self
3. Assign created role to a new user
4. Note that this user can still delete objects with the state "not_locked" and objects that aren't created by this user.
Expected behavior: button 'Send to Trash' should be disabled.
It seems that $canDelete should be also taken into account when \EzSystems\EzPlatformAdminUi\Menu\ContentRightSidebarBuilder::ITEM__SEND_TO_TRASH is builded. Source code: https://github.com/ezsystems/ezplatform-admin-ui/blob/v18.104.22.168/src/lib/Menu/ContentRightSidebarBuilder.php#L186