- Issue created by @djdevin
Quite an edge case and maybe a wontfix, but it did throw us for a loop.
If the `wse_preview` cookie exists but is on a parent domain, when logged into the site as a workspaces user, it's not possible to switch out of the current workspace without clearing cookies. This happens when a site is running on two domains, one being a child. For example having "mycompany.com" as the frontend but "something.drupal.mycompany.com" as the backend. This is common with CDNs and proxies (Cloudflare etc.)
wse_preview can only clear the `wse_preview` cookie on the current domain when it detects a workspace being unset. Additionally the "access workspace previews" only applies to the route that sets the cookie.
Once the cookie is set, the negotiator does not check this permission and will activate the workspace for that request regardless. I assumed that having "access workspace previews" granted to the anonymous user would mean that it would not switch for admins, but it is only for the initial request. Since `wse_preview` only deletes the cookie on the current domain, the parent one still persists and locks the workspace.
1. Set up a site with workspaces such that there are two possible domains e.g. stage.mydomain.com and mydomain.com
2. Ensure the mydomain.com site sets cookies on .mydomain.com
2. Create a workspace in mydomain.com, generate a preview link, dump the database down to stage.mydomain.com
3. Login to stage.mydomain.com as Workspace adminstrator
4. Access the preview link on mydomain.com
5. Attempt to switch workspaces
6. Workspace is stuck
A quick way to manually reproduce this is with cookies, if you're on Lando or DDEV:
1. Generate preview link for a workspace, access while logged in
2. Change the domain of the `wse_preview` cookie to (the parent) `.lndo.site`
3. Attempt to switch workspaces on your `drupal.lndo.site`
4. Locked in workspace
The workspace gets stuck because wse_preview cannot delete the cookie on mydomain.com if a workspace is being unset on stage.mydomain.com. This seems unfixable since it can't possibly know that mydomain.com should also have a cookie deleted.
A solution might be to check "access workspaces previews" in the negotiator, however this might break in some conditions where the user can also do administrative tasks with Workspaces. But I can't think of a condition where a Workspaces administrator would also need the ability to access preview links.
To temporarily fix the problem I just overrode the cookie workspace negotiator and checked that permission, so it would not affect administrators.
Active
2.0
Workspace Preview