Bug: Page ACLs not respected in plain view nor admin view

[jgonyea]

Goal: Restrict pages based upon what group a user belongs to

Process:

• Create 2 users (user1, user2) and assign each individually to groups (group1, group2).
• In each group, grant the following:

  access:
    site:
      login: true
    admin:
      login: true
      cache: true
      pages:
        create: true
        update: true
        list: true
  enabled: true

• Create 2 pages (group1-content, group2-content)
• On page 1, set headmatter to:

permissions:
    groups:
        group1:
            read: true
            update: true
        group2:
            read: false
login:
    visibility_requires_access: true
access:
    admin.users.read: true

• On page 2, set the flipped headmatter to:

permissions:
    groups:
        group1:
            read: false
        group2:
            read: true
            update: true
login:
    visibility_requires_access: true
access:
    admin.users.read: true

• Clear cache

Expectation:

1. When not logged in, neither page allows anonymous access
2. When logged in as user1:
3. Page 1 is viewable
4. Page 1 is editable in admin
5. Page 2 is not viewable
6. Page 2 is not editable in admin

** Observation**:

1. Neither page allow anon access and prompts for login. This seems correct.
2. When logged in as user1:
3. Page 1 is not viewable and the message "You don't have access to this page..." is displayed (this is not expected)
4. Page 1 is editable in admin (this is expected)
5. Page 2 is not viewable and the message "You don't have access to this page..." is displayed (this is expected)
6. Page 2 is editable in admin (this is not expected), and I get a toast notification in the top right about "Fobidden Access"

I've attached an example setup for the situation above.
user.zip