This fixes a problem demonstrated in
RefControlTest#unblockRead_NotPossible
The new code is better commented and follows the general description
of how Gerrit permissions work. More precisely, BLOCK rules are
now processed top down. Previously BLOCK rules were processed together
with ALLOW rules, meaning that the mechanism for DENY processing could
also be used to disable BLOCK in child projects.
Add a complete reference description of how ACLs are evaluated in
Documentation/access-control.txt.
Change-Id: If917e10d3320a45e7a910c4bf15414065cdc5db8
cc3bd44ae7