Hi,
I found the following strange behavior in EventStore 4.1.1-hotfix1.
When I add e.g. the new user JohnDoe with SomeGroup and edit the metadata of a stream MyDomain to allow access only for users of SomeGroup everything works as expected.
However if I then update JonDoe and remove him from SomeGroup the user can still access MyDomain.
I’ve verified that the updates where correctly processed in the Web-UI as well as via curl.
I’ve tried the above described scenario as well as other scenarios and have come to the conclusion that the access control code only cares about the groups a user was created with but completely ignores subsequent updates to the groups.
Deleting the user and recreating with the new groups instead of updating has worked for me however.
I’ve added a file with the curl-statements I’ve issued and the responses I have received.
(I’ve attached this just for your convenience so don’t look for formatting errors in my JSON 
- I have verified the same behavior by using a Java-Client and the Web-UI where possible).
acl-ignores-groups.log (1.88 KB)