Steps to reproduce the issue:

• make sure http cache is enabled ( "SetEnv USE_HTTP_CACHE 1" on virtualhost config )
• create an obj state group, with at least a couple of states
• create a role
• give it a policy of state/assign, with a limitation on the new state
• assign that role to admin
• go to backoffice

Result:

An exception will be thrown:

NotFoundException: Could not find 'Limitation' with identifier 'NewState'

Notes:

On last step you'll get exception because permission system loads all roles, problem is that NewState policyLimitationType is not implemented and admin user is loaded by userhash generator funnily enough things work if you assign the same role to another user, and use it to login.

Proposed behavior change:

• introduce optional logging for missing limitations
• if not provided throw like today, if provided log instead and threat as "no access" so it basically continues to next assignment and threats the "current one" as "saying no"
• setup prod to log by default