Bug report

Summary

In working on a solution for #16048, I discovered that changes to a Role definition—specifically its authority—do not update ACL entries that use the Role.

Step to reproduce

1. Create at least one Role (via ACLs, Roles tab).
2. Assign this Role anywhere access permissions can be defined. An easy area to observe this is in the Media Source editing panel.
3. Change the Role's authority (via ACLs, Roles tab).
4. Return to the object for which you assigned permissions using this Role.

Observed behavior

The ACL in question (where you changed its Role's authority) will no longer appear on the object.

Expected behavior

Updates to Role authority should also update all objects that use the Role in an ACL.

Note

This root cause of this is what I suspect is a bit of a data design flaw: A value of the Role (the authority) is what's saved in every ACL's db entry, not its primary key (id in this case). This complicates matters when we need to update an assigned Role. Now, we'll need to search through every ACL table for entries where the given authority value exists. Perhaps this can be redesigned in the future, but I know that wouldn't be possible until a feature release at the very least, and maybe not until the next major release. Something to consider...

Environment

MODX 2.8.7 and 3.1.0-dev (and presumably any version of 3.x)