javax.jcr.nodetype.ConstraintViolationException: Cyclic group membership detected for group '...'

[kwin]

As the check for cyclic group membership happens when Authorizable.addMember(...) is called (and not only after commit()) the order of addMember(...) and removeMember(...) matters. The latter should be called first on all managed authorizables to prevent the "Cyclic group membership" exception which may happen when a group has been fundamentally changed.

The reproduce the issue with 2.5.2 just create the following group memberships first

group 1 -> group 2 -> group 3 establish that membership in the ACTool and then change via config to group 2 -> group3 -> group1