access improperly denied when acl_id has no users then later gains users

hi,

this seems to be a problem: if a particular acl grant should apply to a node but that acl id doesn't (yet) have any users associated with it, then the grant won't apply to that node when users are later added to the acl. for example, i create an acl_id "community_members" to allow community members to view a certain node. but, nobody is a community member yet. when the node is saved and grants written, node_access_records will not return the relevant grant and so will not allow a user who later becomes a community member to view the node. the problem is the "else deny access" clause below, which i've commented out. what i am not clear on is why this clause was motivated in the first place. is it really necessary?

of course, you can get around the problem by saving the node later after users are added to the acl id, but that's not really a solution because adding users to the acl "community members" is not connected to individual nodes, and so we don't know which nodes to save after a user's status has changed.

ed

p.s. note some discussion of this issue already at, for example, http://drupal.org/node/169991

/**
 * Implementation of hook_node_access_records().
 */
function acl_node_access_records($node) {
  if (!$node->nid) {
    return;
  }
  $result = db_query("SELECT n.*, 'acl' AS realm, n.acl_id AS gid, a.module FROM {acl_node} n INNER JOIN {acl} a ON n.acl_id = a.acl_id WHERE nid = %d", $node->nid);
  $grants = array();
  while ($grant = db_fetch_array($result)) {
    if (module_exists($grant['module']) && module_invoke($grant['module'], 'enabled')) {
      //if (acl_has_users($grant['gid'])) {
        $grants[] = $grant;
      //}
      /*else {
        //just deny access
        $grants[] = array(
          'realm' => 'acl',
          'gid' => 0,
          'grant_view' => 0,
          'grant_update' => 0,
          'grant_delete' => 0,
          'priority' => $grant['priority'],
        );
      }*/
    }
  }
  return $grants;
}