SEC-2615: accesscontrollist tag documentation incorrectly states hasPermission is an or #2831
In 3.1 the accesscontrollist tag began performing an and on the permissions. This may have been accidental, but I think that it is more intuitive & secure for it to behave this way. When compared to hasAnyRole and hasRoles the hasPermission tag implies it is an and. If users end up needing OR support, then the authorize tag can be used along with the hasPermission expression. For example:
In general, the authorize tag should be preferred as it is the more powerful way of performing authorization checks.
According to section 4.4 of the Spring Security reference guide:
However, the tag seems to check that the user must have all the permissions listed in the hasPermission attribute.
It looks like SEC-1560 introduced the problem. I believe that means it impacts versions 3.1 through the current version.
I'm attaching a diff that I believe will get the tag working as documented again.