We are working on an application that deals with user management. The application uses Acegi ACL to manage what rights users have over other users. User permissions are inherited, so that superuser sees and manages everyone, and sub users who have the role of ROLE_USER_MANAGER can manage users below them in the ACL hierarchy. User managers can also view and delete permissions assigned to users below themselves in the hierarchy. The application calls getAcls in the Acegi class AclManager to get a list of Acls pertaining to a specific user. Here is my question: is there any way to easily filter which permissions get shown? For example if we have users called grandparent, parent and child, parent shouldn't see grandparent's permissions over child, even though grandparent has inherited permissions over child. I would also like to filter out the __INHERITANCE_MARKER_ONLY__ permission. The Acl system correctly doesn't allow children to delete their parents permissions so it seems Acegi has some notion of where Acl entries belong in the inheritance hierarchy.
Any help much appreciated,