I am using Alfresco v6.0.a (Dockerized). I have deployed Alfresco in a production eviornment and I have configured Folder Based Workflows for them. I have experienced a problem related to workflow security. Lets suppose there is user A and user B. When user A approves a document, the document is moved into a folder named "B Approval", in which a user B with a Manager role only for this folder, is allowed to approve the document for further approval. Now only user A and user B have permission to access the folder "B Approval". The folder "B Approval" is inside a parent folder named as "Archive B". Only user B have access to folder Archive B. So I have given access to user A only on the folder "B Approval" so that user A can only approve the document and cannot view the document after approval. The approved document is inside "B Approval" folder which is the child of "Archive B". Since user A has only access to the child folder and not the parent folder, the user cannot view the document after the documents is moved on approval.
Now the problem is when user A approves the document without priviewing it and the document is moved to folder "B Approval", user A cannot access it but when user A previews the document and approves the document on the same preview page by clicking on Approve button on right side of the pannel and on Approval on the top of the preview Alfresco shows the path that Where the document is moved. Now if user A click on that path that path, user A is redirected to the folder "B Approval", which was hidden from the user. I was expecting that user A should not access documents even if the user is redirecting through the preview page.
In any circumstances user A should not have access to the restricted folder.
Can anyone explain why the user is able to access the document if the user is redirecting through priview page after document is approved?