Hi,

I am working with Acls within Acegi and have found some behaviour which seems odd and contrary to the documentation. It seems that to have an object inherit an acl from its parent you must have at least one acl attached to that object. That is, if you have an object with no acls directly attached to it, but that object has a parent that has acls that should be propagated, the acls won't be passed down unless you add at least one acl to that object. That acl can belong to anybody, it just needs to be there.

The reason is that acegi relies on acls to work out if there is a parent object. So an object has no acls attached to it, acegi can't find a parent, the inheritance tree isn't walked and no acls are propagated. This is backed up in the BasicAclProvider code. If it gets a null from the BasicAclDao then it doesn't do any further processing.

My question is. why rely on the Acls, why not on the AclObjectIdentity? If acegi looked at the AclObjectIdentiy for parent information, the system would work as advertised in section 1.14.3 of the reference guide.

The easy hack around this is to create an acl pointing to an 'imaginary' recipient at object creation time. This would give acegi an Acl to find the parent from and the world would be at peace again. This has been tested to work.

Am I missing an important concept, or should I look at writing a fix.

Cheers,
Deakin.