I definitely think both an audit of the toolkit to
check that permissioning is being done properly and
a cleanup of some of the permissions that are too
fine grained is a good idea.
That said, we need to excercise some care that in the process
we don't turn OpenACS into a toolkit that is only suitable for
small organizations. Leaving aside the fact that the
admin pages shouldn't really be in admin (which is what prevents having news_admin actually work as expected), I can
certainly see a larger site wanting to allow someone to
admin all instances of news in a subsite but being unable to
grant them admin on the subsite.
I think you want the permissioning granularity to be
pretty fine since going from fine -> coarse is a matter
of changing some data (permissions inheritance etc) but
going the other way means changing code. You don't want
to say to a large site that needs fine grained permissions
that you are going to have to change code in most of the
packages to support their needs. Not to mention that
doing this adds some appreciable risk that you get it
wrong.
I don't really find the custom permissions to be a big problem from a development standpoint, and for
a small site granting base permissions (admin, read, etc)
on the root generally works as you would expect.
The real issue is the UI for permissioning and browsing permissions is a huge trainwreck. I suspect if we spent a
little time on this we would collectively feel much less
inclined to remove quite so many of the permissions as
we are now.
