I just realized the following:
// Call the current user info
global $current_user;
// Add a capability
// and set the 2nd argument ($grant) to false
$current_user->add_cap( 'some_cap', false );
Now I’ve successfully added a capability to the user, but denied her/him the access to this capability.
If I now check with $current_user->has_cap( 'some_cap' ); I’d get a true in return. The same goes for current_user_can( 'some_cap' ); as this is only a wrapper for the has_cap functions arguments.
Q: Where is the 2nd argument used? Did I get something wrong?
I think you are using it right. I think it is actually a bug in WordPress.
When you do the same for roles
$somerole->add_cap( 'some_cap', false );, it works as expected.