Group ACLs the rights: CreatePersonalGroup CreateGroup AdminGroup * Update group metadata and access control list AdminGroupMembers * Add ad delete members of this group ModifyOwnMembership * Join and quit this group the primitives: In user.pm =item HasRight { Right => 'somerightname', ObjectType => 'Group', ObjectId => 'GroupId' Returns true if this user has the right 'somerightname' for the group with id 'Id' =cut =item RightsForObject { ObjectType => 'Group', ObjectId =>'GroupId' } in users.pm =item WhoHaveRight { Right =>'somerightname', ObjectType => 'Group', ObjectId => 'GroupId' } Finds all users who have the right 'somerightname' for the group in question. If a user has "AdminGroupMembers" globally and we ask about group 23, that user should be found. =cut Users must be able to delegate individual rights * Is it that users can delegate any and all rights but it's only rights they _have_ which actually grant rights. rights must not be redelegated users must be able to create groups to which rights can be delegated. Only users who have the "delegate rights" right can delegate rights. When a user's right to do something is revoked, the delegation must be revoked * For any delegated ACL check, the delegator's right must be checked immediately after the delegatee's right. If a user has had a right delegated by multiple parties, this may mean that we need to actually loop through and check a bunch of possible delegations. Or can we craft a "has delegated right" ACL check. ACL 1 Group Q has the right to Frob ObjectI. ACL 2 User A has the right "DelegateRights" Group Q has the member Group S Group S has the member Group R Group S has the member Group T Group R has the member user A Group T has the member user A User A delegates to Group P the right to Frob ObjectI New ACL rule: ACL 3: Group P has the right to Frob ObjectI as delegated from ACL1 by User A In the case where ACL1 is revoked: find all acls which are delegated from ACL1. Delete them In the case where User A is removed from group R Get the list of all groups that A was in by way of group R before the removal Get the list of all groups that A is in _after_ the removal. Find all the ACEs granted to each group that A is no longer in. For each ACE in that list, find all the rights that A has delegated. Whack them. In the case where Group S is removed from group Q Get a list of all groups that S was in by way of Q before the removal Call this list O. For each user X who's a member of S (directly or indirectly): Get a list of all groups that X is in after removal. For each group in O that X is no longer a member of: Find all ACEs granted to O For each ACE, look up all the delegations that X has made. For each delegation WHACK IT