2.14 release notes: Add warning about changed BLOCK rule evaluation

Change Ia9b57b995 changed the way how BLOCK rules are evaluated. This
should be highlighted in the release notes.

Change-Id: I4ba8b9f370f1dc658dc499b9ae4df00524b1d9c7
Signed-off-by: Edwin Kempin <ekempin@google.com>
diff --git a/releases/2.14.md b/releases/2.14.md
index 2a026d0..cfb63c7 100644
--- a/releases/2.14.md
+++ b/releases/2.14.md
@@ -53,6 +53,28 @@
 Existing passwords will be migrated to a hashed password during site initialization
 when upgrading from an earlier version of Gerrit.
+### Evaluation of BLOCK permission rules has changed
+An exclusive ALLOW permission now has priority over a BLOCK permission when
+both permissions are defined on the same project.
+This means an exclusive ALLOW rule now overrules BLOCK rules on the same
+BLOCK rules still cannot be overruled by child projects.
+This change makes it possible to allow a permission for a specific ref and to
+block the same permission for all other refs. For example, it is now possible to
+allow all users to push changes for review, but to block all direct pushes:
+  [access "refs/*"]
+    push = block group Anonymous Users
+  [access "refs/for/*"]
+    exclusiveGroupPermissions = push
+    push = group Registered Users
 ### Deprecation of Velocity Email Templates
 This release deprecates the use of Velocity mail templates. In a future release