AnsweredAssumed Answered

Explicitly denying permissions via DENIED

Question asked by marcus on Jan 2, 2009
I have the use case where permissions granted for groups to content hierarchies, with inheritance set on the folders so they cascade down to the bottom of the tree. In some cases however, I want to be able to explictly DENY access for a sub-group or individual users to individual pieces or sub-trees of content. Looking through the NodeTest.evaluate() method, it looks like the permission evaluation logic works by continually looking up the tree to find any possible ALLOW permission, however what I want it to do is stop as soon as a "DENY" is found for that permission. My structure is as follows

User "editor" in a group called "Editors"

Company Home
- Content Folder (Editors has "Coordinator" permission)
– file.txt
– other_file.txt (Via a custom bit of code, I have set DENIED permissions for a variety of things to try and get things to work, including All Permission, Coordinator, Read, etc)

Unfortunately, other_file.txt seems to still be readable; is there something else I should be doing or is my understanding of evaluate correct?

Outcomes