Global defaults do not work properly on some sites

What's worse is that it appears that there is the same problem between vocabulary defaults and individual term grants. E.g., with the global default set to allow, the vocabulary default set to either allow or ignore, and the term set to deny, the node is still accessible. It only works properly if the vocabulary default is deleted from the role configuration entirely.

Marked #292312: default rule does not show up in node_access as duplicate of this issue. See in particular http://drupal.org/node/292312#comment-1167374.

#687614: core permissions overrules TAC ? is a duplicate of this issue.

Part of #165848: TAC permissions overriden by core? is also duplicate.

I'm now unable to reproduce this bug with either 6.x-1.0 or 6.x-1.x-dev, even after completely uninstalling/reinstalling and rebuilding permissions. I'm not sure what is different between the test site I used when I reported this issue and the current one, but I'll postpone this until I can reproduce the issue reliably.

My current test site (where I cannot reproduce the bug) is OS 10.6 with PHP 5.2.13, MySQL 5.1.44_0 (mysqli driver), Drupal 6.16. Enabled modules include:
administration menu
all base cck modules
color
comment
database logging
help
menu
syslog
update status
upload
schema
coder
all devel modules except theme developer
import/export api
shared email
tac
token & token actions
views & views ui

Please post as much detail as you can if you encounter this issue, including steps to reproduce and your version of Drupal core.

Alright, the test site that has this problem:

PHP 5.2.11
MySQL 5.1.35
OS 10.5
core 6.12

enabled modules:
admin menu
base CCK
custom formatters
case tracker
color
comment
database logging
help
menu
profile
taxonomy
schema
date
date popup
coder
devel, generate, nodeaccess
advanced help
automatic nodetitles
shared email
tac (latest dev build)
lineage
token
taxonomy batch operations
views exporter
views UI

I will try updating all these modules to their latest versions and updating core on the test site to see if that resolves the issue.

Upgrading the site in #6 to the latest dev build of the module now resolves the issue, so I'm assuming it was fixed by another patch.

I am encountering this issue again on a site with 6.x-1.2 with core 6.17. The global default seems to be overriding any grants, not just the vocabulary defaults. Written grants for a role are always consistent with the global default, including (this is the bad part) Ignore overriding Allow from specific terms. Obviously, this is a critical bug. Unfortunately, I cannot reproduce it on all sites.

Devel node access shows TAC writing zero-grant rows for nodes in a role where the Global default is I/I/I, regardless of whether more permissive terms are available

#8 was a problem with Content Taxonomy not updating node tags properly after a content import... so not actually a problem with TAC at all. It's working correctly once the nodes are actually tagged.

The patch available in #881210: No list or create permissions on any terms may result in incorrect use of default on save should resolve any remaining problems like this. If you still encounter this bug or anything like it, please test the patch from that issue with the latest dev build of TAC. Direct link to patch:
http://drupal.org/files/issues/tac_881210-9.patch