If you have the following structure in group membership, you may hit this issue (letters are groups, -> means member of):
D -> B -> A
D -> C -> A
When any checks will been done for group D or any user or subgroup of D, only one of group B or C will later be considered a member of A (unless these has been loaded previously in the cache). So members or members of other subgroups of B or C will not be considered member of A during further security checks.
1) create 4 groups A, B, C, D
2) Add group B and C into group A
3) Add group D into group B and C
4) Add user U1 to group D , user U2 to group B and user U3 to group C
5) Create a document DOC, and allow any right on document DOC to group A
(Save XWiki.XWikiPreferences to clean the caches)
6) Check that right on user U1 with success
7) Check that right on user U2 and U3, one of them will not be allowed
Expected behavior is that U1, U2, and U3 are member of A and receive the rights assigned to A on document DOC.