From 2727e241522db850ad729c8f92deeb9bd37142ca Mon Sep 17 00:00:00 2001
From: Francis Charette Migneault <francis.charette.migneault@gmail.com>
Date: Thu, 29 Oct 2020 12:44:17 -0400
Subject: [PATCH] update comments of effective permission to be even more
 explicit about the process

---
 magpie/services.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/magpie/services.py b/magpie/services.py
index 2e5bf4c65..9e59e2328 100644
--- a/magpie/services.py
+++ b/magpie/services.py
@@ -306,19 +306,21 @@ def effective_permissions(self, user, resource, permissions=None, allow_match=Tr
 
                     # less obvious use case for both of the following user/group blocks:
                     #   no need to check explicitly for ALLOW since it was either already set during previous iteration
-                    #   (at that moment, perm=None) or a DENY was already set, but it takes precedence over it anyway
+                    #   (at that moment, perm=None) or DENY was already set, and DENY takes precedence over ALLOW anyway
 
                     # user direct permissions have priority over inherited ones from groups
+                    # if inherited permission was found during previous iteration, overwrite it with direct permission
                     if perm_set.type == PermissionType.DIRECT:
                         perm = effective_perms.get(perm_name)
-                        # explicit user DENY overrides user ALLOW if any already found
+                        # explicit user direct DENY overrides user direct ALLOW if any already found
+                        # if inherited permission was previously set, user direct ALLOW has priority over inherited DENY
                         # if permission name not already found, ALLOW/DENY is set regardless (first occurrence)
                         if perm is None or perm.type == PermissionType.INHERITED or perm_set.access == Access.DENY:
                             effective_perms[perm_name] = perm_set
                         continue  # final decision for this user, skip any group permissions
 
-                    # otherwise check for group permission
-                    # like previously, explicit DENY overrides ALLOW if permission name was already found
+                    # otherwise check for group(s) inherited permission, all groups have equal priority
+                    # explicit group inherited DENY overrides group inherited ALLOW if permission name was already found
                     # if permission name not already found, ALLOW/DENY is set regardless (first occurrence)
                     perm = effective_perms.get(perm_name)
                     if perm is None or (perm.type == PermissionType.INHERITED and perm_set.access == Access.DENY):