is there any way of doing negative permission grants with the permission system?
I want to be able to mount an application on a subsite that is read-only for everyone except subsite admins... the obvious (to me at least) way of doing this would be to keep the context_id of the application pointing to the subsite while blocking the 'write' permission from propagating through permission inheritance and giving subsite admins an explicit 'write' grant... AFAIK this isn't actually possible, but if it is it'd save a bunch of trouble in managing permissions or bodging the app to test for 'admin' instead of 'write'...
