Permission denied for specific Action when two groups are assigned to user

[Nikhil13x]

A user is assigned with two groups.
Group 1 - Administrator with all permissions and their actions enabled
Group 2 - TestGroup - with one action unselected (Admin Area.Manage Products -> "List")

In this case, the user is not allowed to "List" the products, even if the permissions is assigned via one group. The deny rule takes precedence.

Is this expected behaviour?

[Nikhil13x]

This snippet returns false on occurrence of a deny rule in actions. Should it return true whenever there is no deny rule for a group in the for loop instead?

[KrzysztofPajak]

@Nikhil13x yes, it is expected behaviour.

[Nikhil13x]

@KrzysztofPajak Understood. But the logic at permissionSystemName level works in the other way. If the checkbox is selected for any groups assigned to the user, it allows access.
Only at action level, the deny rule is applied. It's confusing a little.

[KrzysztofPajak]

@Nikhil13x you have right, it can be a little confusing.
I will consider to change it.
In the PermissionAction collection (in database) we save records to which you do not have access. In this case, we will have to change the operating mechanism and perform a migration.