#22 wrong privileges on collection with multiple groups
When a user has different privileges on a collection due to membership in several groups, the sql function path_privs might not get the correct resulting privileges. This happens because the query
SELECT privileges INTO out_conferred FROM grants
WHERE by_collection = grantor_collection
AND (to_principal=in_accessor OR to_principal IN (SELECT expand_memberships(in_accessor,in_depth)));
can deliver more than one row in this case, and it's quite arbitrary whether the highest privilege is first or not. The correct solution is probably to or-aggregate all bits to obtain all privileges over all groups the user is member in:
SELECT bit_or(privileges) INTO out_conferred FROM grants
WHERE by_collection = grantor_collection
AND (to_principal=in_accessor OR to_principal IN (SELECT expand_memberships(in_accessor,in_depth)));
This applies to V1.02
Thanks. This is fixed in Git now and will be in the next release.