Hello. After update to 11.9.0, i noticed some weird behavior in onedev RBAC. Issue 1: I have a group called "gts-nomaster" which is set to be a default group in ~administration/settings/security. This group is authorized on some "root project" (called "GTS") with the following role:

All toggles are off
Code Privilege: write
Package Privilege: read
Editable Issue Fields: None
Job Privileges: * access [log,artifact]

In the "GTS" project, in ~settings/branch-protection, I've defined the following rule:

Branches: master main
Applicable Users: group(gts-nomaster)
Prevent Forced Push: Yes
Prevent Deletion: Yes
Prevent Creation: No
Commit Signature Required: No
Enforce Conventional Commits: No
Max Commit Message Line Length: Unspecified
Required Reviewers: group(Admin)
Required Builds: Unspecified
File Protections: * ** Reviewers group(Admin) 

With these settings, ANY user (because ANY user is in the "gts-nomaster" group by default) is able to commit to master/main branches of any subproject of "GTS" project.

Issue 2:

In group management, I go to ~administration/groups/3/authorizations page, set like this:

Then I click save. But when I reload the page, or return to this page later, it looks like this, with empty "project" field (although the setting takes effect after pressing the "save" button):