On Sat, 2003-03-29 at 16:40, James Davies wrote:
Having multiple role seems like a huge overkill. When you get down to it, the users are defined in acl_users, a regular object. If you stripped the aquisition wrapper and placed acl_users in the context of the actual container, you would bypass all those problems as the acl_users would only be effective in siblings and their child nodes, which is the expected behavour.
Yes... that will do the trick in many situations, though it has its own significant shortcomings. I use a lot of shared stuff between virtual hosts so it doesn't work for me to choke off privileged upward acquisition. Partitioning roles may only be relevant for certain configurations or it may just be a paranoia layer. I suspect that answering that question will require a great deal more time and effort than I'm currently able to put to the task. Then again, the OP *appears* to have supplied us with an example of where it's necessary. Difficult to say for sure. In any event you should, of course, use the configuration that is best-suited for your particular requirements. Dylan