The checking of temptable permissions currently returns the first non-null permission from the role set. This is different than the additive behavior of all other permissions. It means that setting a role to explicitly not be able to create temp tables may inappropriately deny a user from creating temp tables if a later role explicitly grants the permission.
The permission determination logic should be:
if any role allows
if any role doesn't allow
return not allowed
return the allowCreateTempTablesByDefault setting