I've edited the above to hopefully make this somewhat more clear, but to be more specific in answer to your question:

• you have to be able to read recipe1 to get at its list of bags
  
• then to be able to get at the list of tiddlers produced by those bags, you need read on the bags, including bag1
  
• actions that involve a write only check the constraint on the target bag (which is either explicit in the request, or determined implicitly by reading and processing the recipe)
  
• manage only comes into play when editing the the policy or description of a bag or recipe