[xwiki-devs] Question about rights precedence

Hi devs, while trying to figure out how to fix http://jira.xwiki.org/browse/XWIKI-13269 " Multiple values for one permission pair handled wrong " I ran into a question about now to resolve conflicting rights/permissions. I guess that resolving rights conflicts assigned to the same object/level (i.e. page or wiki) but different principal (i.e. user and a group of that user) is not much different than resolving a conflict with rights for the same principal (as happened in the bug report, getting two rights for the anonymous user after an upgrade conflict) If I understand the documentation here: http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission+types/ then usually "deny" takes precedence over "allow", except for the "Special Permissions": "admin", "programming", "register", "crate wiki" and "script". However when I look at the implementation in org.xwiki.security.authorization.Rights I can see the rights have a "tieResolutionPolicy", which is "ALLOW" for "register", "admin" and "programing", but not for "create wiki" and "script". Is the "tieResolutionPolicy" something different than the priority order? If not, who is right, the implementation or the documentation? (However, no matter how the answer is, the UI needs to be updated, as it always assumes that deny takes precedence, giving the wrong answer at times) Thanks, Clemens