@kedars I'm so sorry - not sure how I've tested it, but I've managed to introduce two regressions addressed here:
The guards for dropping the new fabric and its single ACL entry of course need a flag
The second fix restores unconditional "ADMIN" privileges for any PASE session, as it was in your original code
ACL unit tests did not catch this because, ahem, I've changed them too to reflect my (wrong) understanding that a PASE session has ADMIN access only until it is upgraded with a valid fabric index. Which is - in retrospective - completely false, because even after the upgrade - given that ACLs only work for CASE sessions (PASE auth mode is "future") - the unconditional ADMIN for any PASE should remain.
It is another topic that on commissioning complete we should kill off all PASE sessions which I'm not yet sure is happening (for which I'll create a separate small PR later if necessary)
@kedars I'm so sorry - not sure how I've tested it, but I've managed to introduce two regressions addressed here:
The guards for dropping the new fabric and its single ACL entry of course need a flag
The second fix restores unconditional "ADMIN" privileges for any PASE session, as it was in your original code