Issue 3278: Gerrit ACL Deny is hard to use.
Status:  New
Owner: ----
Reported by Velly.zhou, Apr 7, 2015
*****************************************************************
*****                                                       *****
***** !!!! THIS BUG TRACKER IS FOR GERRIT CODE REVIEW !!!!  *****
*****                                                       *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, CYANOGENMOD,  *****
***** INTERNAL ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.*****
*****                                                       *****
*****   THOSE ISSUES BELONG IN DIFFERENT ISSUE TRACKERS     *****
*****                                                       *****
*****************************************************************

Affected Version: v2.8.6.1


What steps will reproduce the problem?

  There are 3 projects "All-Project", "Sencondary-Parent-Project" and "Child-Project" exist in Gerrit. And the latter project is the child of previous one in turns.

  Projects configurations has follow sections:

  All-Project:
  [access refs/*]
      read = Registered User

  Sencondary-Parent-Project
  [access refs/heads/test]
      read = deny group Registered User
      read = allow group Administrator

  Child-Project
  [access refs/heads/test]
      read = allow group Group_Test

What is the expected output? What do you see instead?
  [Expected]
  I expect Only Administor and Group_Test can access refs/heads/test in Child-Project. Permission read is forbidden to group Registered User in Sencondary-Parent-Project project and it is overrided by Child-Project.

  [Instead]
  Gerrit is not the case.(Permission read in Child-Project on refs/heads/test cannot limit read that configured on refs/* in All-Project)
  Gerrit follow my expection only when All-Project new a access section with same branch or same branch wild

  All-Project:
  [access refs/*]
      read = Registered User
  [access refs/test]
      read = Registered User

  All 3 projects in inheritance have to grant the permission in the same branch (or same wild) as above can follow the design perpose "Deny can be override and Block cannot"