hi
I am wondering the reasoning behind not allowing a deny for a set of permissions to be allowed on a group ?
original change behind was that david wished the group membership to be stored together with the authorizable and not with the group itself. while discussing that change, we (chris/david/angela) were also talking about the 'order' of group membership and the problem denies impose... consequently david opposed to having denies for groups in general. that's why i add the check in jackrabbit. just for your information: we had the same discussion again last week, reconsidering that decision once again...
Which appears to be contrary to the advice given in [1], assuming CRX is using the same or similar code.
please note: crx != jackrabbit. crx 1.4 is not using the same code. the original patch for user/ac management posted by chrisk (see JCR-1171) is derived from crx and has been heavily modified in order to match the requirements from jsr 283. for the future of crx security stuff please direct yourself to day directly. angela
