Issue 511: Duplicated access controls result in no access for anybody
Status:  Started
Owner: ----
Reported by rtylerc...@gmail.com, Mar 24, 2010
Per this discussion: http://groups.google.com/group/repo-
discuss/browse_thread/thread/5131f0a99a5acbd2

If a user [accidentally] adds two "Read Access" permissions, in my case for 
"Anonymous Users" all push access to the project breaks resulting in:

    % git push gerrit master 
        fatal: Upload denied for project 'news' 
        fatal: The remote end hung up unexpectedly 
    % 

Apr 10, 2010
#1 sop@google.com
Nico worked up this example of what's going on:

  Local:     READ +1 Anonymous users
  Inherited: READ +1 Anonymous users
  Inherited: READ +2 Registered users

Because everyone is a member of "Anonymous users" group
they match that local right of READ +1.  This shadows the
two inherited READ permissions.


The permission system isn't using the inherited permissions
here by design.  Its done this way so you can do:

  Local:     READ -1     Anonymous users
  Local:     READ +1..+2 Special People
  Inherited: READ +1     Anonymous users
  Inherited: READ +2     Registered users

This prevents anonymous users from seeing the project, but
allows "Special People" to see and upload to it.  It can be
useful to show most projects, but hide just a select handful.

Nico's patch in Iac783b8357932bba91a3b92db69e0bd9ef61fb24 is
going to break this behavior, which man cause surprises for
existing installations.


Right now, the behavior is "Working as Designed".  In my opinion
the bug here is that the design is hard to understand, and harder
still to diagnose when it doesn't work as expected.
Status: Started