From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20030314

Description of problem:
When assigning permissions to objects, the forms 'appear' to silently fail if
the user is already inheriting the permission, either through the object context
hierarchy, or the privilege implications hierarchy.

For example:

  * Attempting to assign 'Administrator Account' as the admin for a role in CMS
'fails' because the SWA already has admin across the whole site. However, if you
assign the user as a role admin & then make them a SWA there are no problems.

  * Manipulating folder permissions. If the user already has 'create item'
privilege, then it is impossible to explicitly turn on 'edit item'. However, if
they are assigned in the other order (ie edit, then create) it works fine.

The problem appears to be that PermissionManager#grantPermission has the
following check:

    boolean hasPermission = checkPermission(universalPermission, isUser);
    if (hasPermission) {
        return true;
    }

The intent was obviously to avoid redundant privilege grants, but as the two
examples above illustrate, this is impossible & leads to very confusing user
interfaces / interactions. The check in in grantPermission should probably be
changed to only check for an exact match of the 'object,party,privilege'
triplet. ie ignore the object context & privilege implications heirarchies.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Go into the content section
2. Go to the roles tab
3. Add 'administrator account' as the role admin
    

Actual Results:  Nothing happens.

Expected Results:  The administrator is assigned as role admin.

Additional info: