Don't allow exclusive rights to block Owner inheritance

In the following ACLs anyone who is in group devs should still be
able to manage the refs/heads/qa/* namespace:

  Owner  admin   refs/*
  Owner  devs    refs/heads/*
  Owner  qa      -refs/heads/qa/*

So when testing permissions we don't honor the exclusive flag if
the category we are processing is owner.  This allows us to inherit
the owner permissions through from higher levels, and ensures that
above qa cannot deny devs management of their namespace.

Change-Id: I4ea3ba929c61c77e20cf9ff77711ae205cf1c308
Signed-off-by: Shawn O. Pearce <sop@google.com>

gerrit-server/src/main/java/com/google/gerrit/server/project/RefControl.java

@@ -329,8 +329,11 @@ public class RefControl {
 
     for (RefRightsForPattern right : perPatternRights.values()) {
       val = Math.max(val, right.allowedValueForRef(groups));
-      if (val >= level || right.containsExclusive()) {
-        return val >= level;
+      if (val >= level) {
+        break;
+      }
+      if (right.containsExclusive() && !actionId.equals(OWN)) {
+        break;
       }
     }
     return val >= level;

gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java

@@ -86,9 +86,9 @@ public class RefControlTest extends TestCase {
 
     assertOwner("refs/heads/x/*", uDev);
     assertOwner("refs/heads/x/y", uDev);
+    assertOwner("refs/heads/x/y/*", uDev);
     assertNotOwner("refs/*", uDev);
     assertNotOwner("refs/heads/master", uDev);
-    assertNotOwner("refs/heads/x/y/*", uDev);
 
     ProjectControl uFix = user(fixers);
     assertFalse("not owner", uFix.isOwner());