I also seen the danger of current user permission. And I attempt to fix it by a new doctype “DocType Permission”.
As soon as this document is created, there will be no permission to this document. And then by addion each Role’s Additional Permission, the permission will be added (using OR condition).
So, the combined condition would be,
doc_perm_conditions = (false OR role_1_cond OR role_2_cond)
This doc_perm_conditions will then be AND with other permission query, user permissions.
It works for me so far, but do you see any flaw?