Forum OpenACS Development: negative permission grants

Collapse
Posted by russ m on
is there any way of doing negative permission grants with the permission system?

I want to be able to mount an application on a subsite that is read-only for everyone except subsite admins... the obvious (to me at least) way of doing this would be to keep the context_id of the application pointing to the subsite while blocking the 'write' permission from propagating through permission inheritance and giving subsite admins an explicit 'write' grant... AFAIK this isn't actually possible, but if it is it'd save a bunch of trouble in managing permissions or bodging the app to test for 'admin' instead of 'write'...

Collapse
Posted by Dave Bauer on
To do this now, you would need to set the application to not inherit permissions from the subsite, then grant the necessary permissions. Read for all users, and write to just the subsite admins.