TYPO3 Core

The problem is inside

/typo3/sysext/workspaces/Classes/Hook/PreviewHook.php:140 ff

// Either use configured workspace mount (of the workspace) or current page id
if (empty($tempBackendUser->groupData['webmounts'])) {
    $tempBackendUser->groupData['webmounts'] = !empty($workspaceRecord['db_mountpoints']) ? $workspaceRecord['db_mountpoints'] : $pObj->id;
}

The $tempBackendUser->groupData['webmounts'] will contain the webmounts of the BE user who generated this preview link, so if he switched to another workspace with db_mountpoints out of the scope of our page to view, we are off.

But removing this line may lead to a security issue, if the db_mountpoints of the be_user is deeper then the one of the workspace ... he could then see pages out of his scope inside the preview.

We could add, before calling $tempBackendUser->fetchGroupData(); something like

$tempBackendUser->user['workspace_id'] = $workspaceUid;

but the function fetchGroupData() calls workspaceInit() which may lead to workspace change on user record.

Maybe it helps todo before $tempBackendUser->fetchGroupData(); (but it is a bit fragile IMHO):

$tempBackendUser->setTemporaryWorkspace($workspaceUid);
$tempBackendUser->user['workspace_id'] = $workspaceUid;

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55613

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55341

Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55613