Description
Bug report
Summary
My users are in two groups, one which I apply to all users and which grants load-only access to the web context, full access to contentblocks and moregallery in the mgr context, and provides access to the manager via the "Content Editor" policy which does not grant publishing permissions. I then add my users to a second group granting them access to their specific context via a custom policy I created which does include the publishing permissions. My understanding is that a user's permissions should be the union of the permissions from all the groups to which he belongs. Prior to upgrading to 2.7.2 this was how it was working for me. After upgrading to 2.7.2 it seems like the permissions, at least with respect to the publishing ones, are now the intersection of the permissions from all the groups to which a user belongs. So both of these groups have to grant publish_document and unpublish_document before users can access any publishing options.
Step to reproduce
Create two user groups, one with a policy that includes publishing permissions and one using the "Content Editor" policy. Assign a user to these two groups, sans sudo, and then log in with that user.
Observed behavior
Users do not have access to the publish date and unpublish date fields or the publish/unpublish option in the context menu, and if the "published" checkbox is toggled it will revert to the previous state upon save.
Expected behavior
Users should be able to publish and unpublish resources without needing every group to grant that access.
Environment
MODX 2.7.2 on MODX Cloud.