Can't Do Things Even With Permission
Consider the following scenario:
User is a member of Usergroup-A and Usergroup-B.
- Usergroup-A has permission to view Area-A via global permissions.
- Usergroup-B has been denied access to Area-A (soft No).
Expected result: members of Usergroup-B only cannot view Area-A; members of Usergroup-A can view Area-A; even if user is a member of Usergroup-B, being a member of Usergroup-A too should give them view permissions (think user upgrades).
The problem here is that the processor locks permissions on a global level after processing each node in the tree, without considering that each group may have permissions customized at a different point in the tree. In order to fix the problem, permissions should only be locked at the group level after each node is processed. Once the entire tree is processed, take the grouped results and merge them following proper Yes/No/Never merge rules.
This does NOT have XSS implications, because the problem only presents when the user has a No permission and the expected result is Yes. Since XSS-related permissions are generally explicitly set on the appropriate nodes (Never is never overridden, and No would be locked re this bug). However, this bug has been assigned Priority=1 due to the "Login" issue - the user would be told they don't have permission to access a part of the wiki, even though they do.