allow() with "with_children=true" not working for child roles

[ianteohsc]

Referring to the unit test as an example, my expectation is that accessing /e as a staff_role_user should work because staff_role_user is a child of everyone. But from my testing, this is not true.

  @app.route('/e')
  @after_decorator
  @rbac.deny(roles=['everyone'], methods=['GET'], with_children=True)
  @before_decorator
  def e():
      return Response('Hello from /e')
.
.
.
  def test_allow_get_view(self):
      global current_user
      current_user = normal_user
      self.assertEqual(self.client.open('/d').data.decode('utf-8'), 'Hello from /d')

      current_user = staff_role_user
      self.assertEqual(self.client.open('/d').data.decode('utf-8'), 'Hello from /d')
      self.assertEqual(self.client.open('/e').data.decode('utf-8'), 'Hello from /e') #Condition not tested

My suspicion is that during the _setup_acl method, there is no check for acls already in the allow list before adding to deny list AND with_children needs to be removed so that allow's with_children can take effect.

        for rn, method, resource, with_children in self.before_acl['deny']:
            role = self._role_model.get_by_name(rn)
            if not self.acl.is_allowed(rn,method,resource): #This check is missing
                self.acl.deny(role, method, resource) #with_children needs to be removed

I'm new to flask-rbac, appreciate if someone can confirm my findings above.

Thank you.