Bug: Page ACLs not respected in plain view nor admin view

[jgonyea]

Goal: Restrict pages based upon what group a user belongs to

Process:

• Create 2 users (user1, user2) and assign each individually to groups (group1, group2).
• In each group, grant the following:

  access:
  site:
    login: true
  admin:
    login: true
    cache: true
    pages:
      create: true
      update: true
      list: true
  enabled: true

• Create 2 pages (group1-content, group2-content)
• On page 1, set headmatter to:

  permissions:
  groups:
      group1:
          read: true
          update: true
      group2:
          read: false
  login:
  visibility_requires_access: true
  access:
  admin.users.read: true

• On page 2, set the flipped headmatter to:

  permissions:
  groups:
      group1:
          read: false
      group2:
          read: true
          update: true
  login:
  visibility_requires_access: true
  access:
  admin.users.read: true

• Clear cache

Expectation:

1. When not logged in, neither page allows anonymous access
2. When logged in as user1:
   1. Page 1 is viewable
   2. Page 1 is editable in admin
   3. Page 2 is not viewable
   4. Page 2 is not editable in admin

Observation:

1. Neither page allow anon access and prompts for login. This seems correct.
2. When logged in as user1:
   1. Page 1 is not viewable and the message "You don't have access to this page..." is displayed (this is not expected)
   2. Page 1 is editable in admin (this is expected)
   3. Page 2 is not viewable and the message "You don't have access to this page..." is displayed (this is expected)
   4. Page 2 is editable in admin (this is not expected), and I get a toast notification in the top right about "Fobidden Access"

I've attached an example setup for the situation above. user.zip