I have been looking into this extensively to try to fix some bugs in ACS4Tcl. There seems to be little consensus on the semantic meaning of acs_objects.context_id. The best reference (for issues, that is) I have found is here, though it is dated.
In the last couple of days, I have been staring at this from acs-objects-create.sql:
comment on column acs_objects.context_id is '
The context_id column points to an object that provides a context for
this object. Often this will reflect an observed hierarchy in a site,
for example a bboard message would probably list a bboard topic as
it''s context, and a bboard topic might list a sub-site as it''s
context. Whenever we ask a question of the form "can user X perform
action Y on object Z", the acs security model will defer to an
object''s context if there is no information about user X''s
permission to perform action Y on object Z.
';
In the context (sorry 😊 of the above reference, the Permissions Explained document, and reading the code for several packages, the possible conflict between the logical (i.e. site) hierarchy and the security hierarchy is focused on this acs_objects attribute. Note however, that this conflict, while possible, is not forced by the data model design.
Specifically, if the logical and security hierarchies are the same, all will be right with the world. I think this is true, but I cannot prove it yet. And they probably do not have to be the same, just one must be a strict subset of the other.
The thread called Implicit use of Context_id=Package_id of the above bboard post is the most illuminating for me, thus far.
My apologies, since this mostly just raises more questions..
Regards..Roger
