While working on a different alternate role viewing bug, some code that existed in the kernel's authz code was reexamined and modified. The basic rundown was the previous code in the isAllowed(String, String, Collection) function located in the DbAuthzGroupService.java file, only checked the base site id (e.g. /site/sideId ) for permissions on the role instead of all of the realms that were passed into the Collection, which the normal use case does in a big nested SQL statement. This caused the Podcast bug linked to this jira to not work 100% correctly since the key realm to check was something like: /content/group/siteId/Podcasts/ .

So this new approach will make sure every realm passed into this function will get checked for permissions in the role that's being requested. It is also prioritized to check the /site/siteId realm first since that is where a true return will happen a vast majority of the time.

Not only does it fix the linked bug, but this may take care of a lot more bugs that may not have been discovered yet in other tools, since the scope of the feature is potentially any tool that exists in sakai and switching to a different role with countless number of permission/configuration scenarios.

The code was reviewed with colleagues at Indiana University and implemented some suggested changes. I'm presenting this to the community now to try to get it into the 2.6 release since I think it is a critical improvement/bug fix.