[keycloak-user] Probable bug in permissions evaluation

Hello, I believe I found a bug in the permissions evaluation engine, and I didn't see anything in JIRA about this. I am running Keycloak 4.3.0.Final. I configured some permissions such that a user would have access to the read scope on one resource, but not on another. When I evaluate permissions on each of the resources and read scope by themselves, they are properly granted and denied, as expected. However, when I evaluate both resources at the same time, the result is wrong, and it depends on the order in which I add the resources. If I add the allowed resource first, then they are both granted, but if I add the forbidden resource first, then they are both denied. What I expected is that one is allowed and the other is denied, regardless of the order I add them to the request. I have verified this in the admin console and the REST and Java APIs, and it produces the same broken result. Unless I'm missing something, this is a critical bug that would impact our planned usage of Keycloak. Thank you, Dave