Apache Allura™

--- old 
+++ new 
@@ -1,1 +1,7 @@
 We should be able to specify acls that are additive as well as subtractive.  To that end, we should update the acl structure to be a list of permission grants and revocations.
+
+An ACL will consist of a list of tuples of the form (ALLOW/DENY, *principal*, *permissions*). *principal* will generally be a ProjectRole but can also be None, indicating all users. *permissions* is a list of strings, which may include *, indicating all permissions.
+
+The has_artifact_access() will examine each tuple in the artifact list, followed by the tool ACL, looking for a match with the current principal and the requested permission. If it finds a match, it uses the ALLOW/DENY field to determine whether the principal has the requested access. This terminates the list traversal. If it traverses both lists and doesn't find a match, it defaults to DENY.
+
+There will be special logic to allow neighborhood admins to have any and all permissions.

--- old 
+++ new 
@@ -1,7 +1,10 @@
 We should be able to specify acls that are additive as well as subtractive.  To that end, we should update the acl structure to be a list of permission grants and revocations.

-An ACL will consist of a list of tuples of the form (ALLOW/DENY, *principal*, *permissions*). *principal* will generally be a ProjectRole but can also be None, indicating all users. *permissions* is a list of strings, which may include *, indicating all permissions.
-
-The has_artifact_access() will examine each tuple in the artifact list, followed by the tool ACL, looking for a match with the current principal and the requested permission. If it finds a match, it uses the ALLOW/DENY field to determine whether the principal has the requested access. This terminates the list traversal. If it traverses both lists and doesn't find a match, it defaults to DENY.
-
-There will be special logic to allow neighborhood admins to have any and all permissions.
+An ACL will consist of a list of tuples of the form (ALLOW/DENY, *principal*, *permission*). *principal* will be a ProjectRole. *permissions* is string, which may be *, indicating all permissions.
+
+The has_access() will examine each tuple in the acl, followed by the "parent security context" acl, looking for a match with the current principal and the requested permission. If it finds a match, it uses the ALLOW/DENY field to determine whether the principal has the requested access. This terminates the list traversal. If it traverses both lists and doesn't find a match, it defaults to DENY. The parent security contexts are as follows:
+
+* Artifact => App
+* Project => parent Project
+
+There will be special logic to allow neighborhood admins to have any and all permissions for artifacts/tools/projects in their neighborhood.

# all logging goes to /var/log/allura/allura.log
allurapaste script /var/local/config/production.ini ../scripts/update-acls.py test
# verify output, no tracebacks
allurapaste script /var/local/config/production.ini ../scripts/update-acls.py 
# verify output, no tracebacks

--- old 
+++ new 
@@ -8,3 +8,5 @@
 * Project => parent Project

 There will be special logic to allow neighborhood admins to have any and all permissions for artifacts/tools/projects in their neighborhood.
+
+Also as part of this ticket, project permissions are simplified and neighborhood permissions now delegate to the --init-- project for that neighborhood.