First, you frequently want to grant admin on all *content* of an object, e.g. all bugs in a bug-tracker, without granting admin on the bug-tracker itself. Or admin on all forums and threads, without granting admin on the forums package itself.
Also, the 'grant admin on all news items' has come up time and again.
So how about this: Have 3 types of grants:
- grant on the object itself, but not the child
- grant on the children, but not the object itself
- grant on all children of a certain object_type, but not the object itself.
Before you say "permissions is slow already, this will just make it slower", we have a design at hand which is known to speed things up considerably:
Instead of having one row per (object_id, grantee_id, privilege), like you do today, have a table with a single row per (object_id, grantee_id), and with one column for each privilege in the system.
Of course, that number can fluctuate, but if we just create about 500 spare columns with generic names, that should be good enough for the time being. Plus we want to get rid of custom privs, not add to them.
Branimir has some experience with this, and can help us implement it for OpenACS, and he claims that it made permissions checks a zip.