here's where the heavy lifting begins - everything is likely to be broken for quite some time as we add location and db independence to items and conversations and work through the rest of the permissions and how to federate the buggers.

include/security.php

@@ -274,7 +274,7 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
 					$gs .= '|<' . intval($g) . '>';
 			} 
 
-			$sql = sprintf(
+			/*$sql = sprintf(
 				" AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' ) 
 				  AND ( deny_cid  = '' OR  NOT deny_cid REGEXP '<%d>' ) 
 				  AND ( allow_gid = '' OR allow_gid REGEXP '%s' )
@@ -284,6 +284,16 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
 				intval($remote_user),
 				dbesc($gs),
 				dbesc($gs)
+			);*/
+			$sql = sprintf(
+				" AND ( NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')
+				  AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+				  )
+				",
+				intval($remote_user),
+				dbesc($gs),
+				intval($remote_user),
+				dbesc($gs)
 			);
 		}
 	}