User able to insert document with insufficient RBAC permissions

CB Version:Enterprise Edition 7.1.0 build 2434 

Steps to Reproduce:

1. Create user with only read_write permissions on a collection. Try insert and it fails with NO_ACCESS as expected
2. Create user with read_write along with query_insert or query_update permissions and try insert. It is successful instead of failing with NO_ACCESS.

   package com.couchbase;

   import com.couchbase.client.core.error.DocumentNotFoundException;

   import com.couchbase.client.java.Bucket;

   import com.couchbase.client.java.Cluster;

   import com.couchbase.client.java.ClusterOptions;

   import com.couchbase.client.java.Collection;

   import com.couchbase.client.java.json.JsonObject;

   import com.couchbase.client.java.manager.user.*;

   import com.couchbase.constants.Strings;

   import com.couchbase.transactions.Transactions;

   import com.couchbase.transactions.config.TransactionConfigBuilder;

   import com.couchbase.transactions.error.TransactionFailed;

   import java.time.Duration;

   import java.util.*;

   import java.util.stream.Collectors;

   import java.util.stream.Stream;

   public class sample {

   public static JsonObject initial = JsonObject.create().put(Strings.CONTENT_NAME, "initial");

   public static Cluster cluster;

   public static void main(String[] args) {

   String clusterHostname = "172.23.111.139";

   cluster = Cluster.connect(clusterHostname,

   ClusterOptions.clusterOptions("Administrator", "password"));

   // Collection testCollection = cluster.bucket("testBucket").defaultCollection();

   Collection testCollection = cluster.bucket("testBucket").scope("testScope").collection("testCollection");

   createUserAndRoles(testCollection);

   cluster.disconnect();

   cluster = Cluster.connect(clusterHostname,

   ClusterOptions.clusterOptions("testuser", "password"));

   //Collection testuserCollection = cluster.bucket("testBucket").defaultCollection();

   Collection testuserCollection = cluster.bucket("testBucket").scope("testScope").collection("testCollection");

   String docId = UUID.randomUUID().toString();

   System.out.println("DocId:"+docId);

   testuserCollection.insert(docId,initial);

   System.out.println("DocContent: "+testuserCollection.get(docId));

   }

   static void createUserAndRoles(Collection collection) {

   User rbacuser = new User("testuser");

   rbacuser.password("password");

   UserManager userManager = new UserManager(new AsyncUserManager(cluster.core()));

   List<Role> allRolesForThisUser = new ArrayList<Role>();

   allRolesForThisUser.add(new Role("data_reader", collection.bucketName(),collection.scopeName(),collection.name()));

   allRolesForThisUser.add(new Role("query_insert", collection.bucketName(),collection.scopeName(),collection.name()));

   //allRolesForThisUser.add(new Role("query_update", collection.bucketName(),collection.scopeName(),collection.name()));

   rbacuser.roles(allRolesForThisUser);

   userManager.upsertUser(rbacuser, UpsertUserOptions.upsertUserOptions().timeout(Duration.ofSeconds(10)));

   try {

   Thread.sleep(10*1000); //sleep for 10s so that the user and its roles are reflected across nodes.

   } catch (InterruptedException e) {

   e.printStackTrace();

   }

   }

   }