30 Mar
2003
30 Mar
'03
12:40 a.m.
Having multiple role seems like a huge overkill. When you get down to it, the users are defined in acl_users, a regular object. If you stripped the aquisition wrapper and placed acl_users in the context of the actual container, you would bypass all those problems as the acl_users would only be effective in siblings and their child nodes, which is the expected behavour.
If you configure priv_method in folder2 such that it is only viewable by folder2_admin, you won't be able to see it if your role is folder1_admin. This suggests that the roles required for privileged operations should be tailored very carefully so as to available only to those intended to have them. Re-using roles is too permissive in most cases.