We currently have deny checks pretty early in the has_access() logic. It would be better to have the ACL order be respected, and have a DENY return false.
Need to make sure that tool-level user blocks still work properly, as do private tickets and developer-only forums.
Make sure tests & docstrings are updated, since this is important functionality. See particularly
all_allowed() will need to reflect these changes too