Debugging access issues

[MarkE]

I am having a real head-scratch over an access issue. I have defined a role 'webmaster' which has all permissions assigned to it. However, whenever I assign this role to a user, none of the pages in the tree are editable. Users assigned lesser roles (with access to specific templates only) can edit the relevant pages, but if I add 'webmaster' to their roles, they no longer have edit access. Inspecting the templates shows that 'webmaster' has view, edit, create and add rights to all of them. The access overview module shows green ticks for webmaster everywhere.

Any ideas how I go about debugging this (or, better still, what might be causing it?)

[MarkE]

Additional info:

Here's an odd thing. I have a template "Membership" and roles "membership-secretary" and "webmaster" which both have page-edit permissions for that template. If I give a user the webmaster role, or both roles, then they cannot edit a Membership page. If I give the user both roles and REMOVE the page-edit permission for webmaster from the template, then the user CAN edit the page. Uhhh!!? (NB they can't edit it if they only have webmaster with no page-edit!)

I have another role "treasurer" which also has page-edit permission for Membership. If I give the user both membership-secretary and treasurer roles but not webmaster, the they can edit a Membership page. If I add webmaster to their roles (with page-edit permission for Membership) then they can no longer edit the page, but they can again if I remove the page-edit permission from webmaster.

I do have one or two functions which reference webmaster (to treat it the same as superuser for some purposes). I have double-checked all that code, but just to be certain the problem didn't lie there, I changed the role "webmaster" to  "web-master" without amending the php. The problem remained exactly as described. So the issue lies somewhere in the database, but I have no idea where to look. I did the obvious and went through all the webmaster permissions and checked that all the permissions were there and that there were no revocations. In any case, why would adding a page-edit permission have the effect of blocking it?

As a final throw of the dice, I created a new role "webmaster" (leaving the old one as web-master) with all page-edit permissions and the problem occurred with that too.

Completely stumped at the moment!

[MarkE]

SORTED!

Tripped up by page-edit-created:

"This permission is a bit unique in that it actually reduces access (to roles that have it) rather than adding access. " (my emphasis)

You can say that again - it's completely unique and a real gotcha! I blithely went assigning all permissions to my webmaster role without realising that assigning this one actually effectively removed page-edit from most pages. This is really counter-intuitive. Why do it this way? The natural approach seems to me not to assign page-edit permission and then assign page-edit-created as an additional permission.

To prevent me forgetting this (as if...), I have added a note to the title of the permission. It might be helpful to add something in the default title.

Edited February 19, 2020 by MarkE
Additional info