User in multiple groups: are permissions combined?

[spomata]

Hi all, I'd like to achieve a permissions setup where all the wiki users belonging to a general group have read/write access to all content, except for some paths where only a more specialized group has exclusive write access.

I have configured a situation like:

group all: user1, user2, user3
read: / granted
write: / granted ; path starts with /some/path/ denied

group tech: user2
read, write: path starts with /some/path/ granted

However, user2 and any other user in the group tech are not able to edit the pages below /some/path.

Is that by design or am I doing something wrong? How could I achieve this kind of permission control otherwise?
Thanks

[P4mes4n]

A deny rule will always override the allow rule in this scenario, by design.

A quick solution would be to simply remove user2 from the global group and grant write to all paths to group tech.
If that is not possible you could make the path more precise so that the allow rule has a higher priority:
group all: /some/path/ ->denied
group tech: /some/path/tech ->allow

Its not pretty, but it should work. Or you could use a different path matching, as "path starts with" has the lowest priority. See here:
https://docs.requarks.io/groups

[spomata]

Thanks for the hint about the path matching priorities: effectively, using a simple path regexp match on the group tech allow rule (referring to my original example) did the trick.

I'd rather do this than having to maintain manually a list of allowed, more precise path for the group.