I figured ACE are evaluated in the order they appear in the ACL. This is fine. We just place all grants before all denies and the behaviour is exactly like we want it to be.
However I also figured that inherited ACEs are always evaluated after any non-inherited ACE (actually not only that, but the lower the levels of inheritance the higher the ACE priority). Are my findings correct?
This sounds reasonable at first but imagine the following scenario.
A user, hugo, is member of 3 groups: webdavuser , role1 and role2.
webdavuser is a group that every user is a member of. webdavuser denies all on the top level folder, so that any access right has to be explicitely granted to a user or one of its groups (which works nicely if you always place all grants before all denies).
However if you grant all to role1 on the top level folder and deny all to role2 on one subfolder, user hugo hass no access rights on this subfolder, although I want him to have since he is a member of role1.
Is it somehow possible to do that? In other words is it possible to evaluate all grants (inherited or not) before all denies? (However, user “DAV:all” should never take precedence of course
Hope, I made my point clear (I couldn’t really find this issue covered in the ACL specification).
Your analysis here seems precisely correct to me.
The only thing I can think of (and I haven’t tried this: our user-interface for ACL editing doesn’t support it at the moment, so I don’t even know if Tamino Webdav Server supports it) is to use something with DAV:invert on an ACE. So, when you set deny on role2 on some subdirectory, you could also set grant on role2 on that subdirectory.
I haven’t thought through all the implications of this, so I’m not sure it does quite what you want (even if it works), but maybe it’s worth a try?