My reproduction repo.

The issue is essentially if I add a permission with a scope, then remove the scope entirely and check the same permission, it comes back as a successful check because of missing scoping query clauses when the scope is null.

As you can see in my test, I am removing the scope entirely and checking to see if a user has permission on the current scope (none/null). The query without a scope does not explicitly check if scope = null, and therefore if a scope is currently not set in the application, the permission will pass regardless of what the original permission's scope was.

In my mind how it should work is that, if a permission is added when there is no scope set, then it should pass regardless of what the set scope is, which is the current behavior ("permissions"."scope" = # or "permissions"."scope" is null).

However, if I set a permission with a scope, it should only work if that is the current scope. I'm proposing we explicitly set the scope where clauses when there isn't a scope set for the application ("permissions"."scope" is null).

I recreated the repo based on what I was trying to achieve in my own project, because I didn't know if it was something i was doing. I've added a simpler test case that shows the unexpected behavior.

On the surface I agree with you. What you expect is probably expected behavior.

Thanks for the reproduction and thanks for the PR. I'm closing this issue for now, since we have the PR open. We don't need both open.