Index: openacs-4/packages/acs-subsite/www/permissions/perm-include.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/perm-include.tcl,v
diff -u -r1.20 -r1.21
--- openacs-4/packages/acs-subsite/www/permissions/perm-include.tcl	6 Nov 2018 12:38:16 -0000	1.20
+++ openacs-4/packages/acs-subsite/www/permissions/perm-include.tcl	3 Sep 2024 15:37:34 -0000	1.21
@@ -9,23 +9,59 @@
     {object_id:integer}
     {return_url:localurl ""}
     {privs { read create write delete admin }}
+    {detailed_permissions_p:boolean,notnull f}
     {user_add_url:localurl ""}
+} -validate {
+    valid_privs -requires {privs} {
+        #
+        # Ensure users can only specify valid privileges.
+        #
+        set n_privs [llength $privs]
+        if {$n_privs == 0} {
+            return
+        }
+        set n_valid_privs [db_string get_valid_permissions "
+            select count(*) from acs_privileges
+             where privilege in ([ns_dbquotelist $privs])"]
+        if {$n_privs != $n_valid_privs} {
+            ad_complain [_ acs-tcl.lt_name_contains_invalid \
+                             [list name privs]]
+        }
+    }
 }
 
 set user_id [ad_conn user_id]
 set admin_p [permission::permission_p -object_id $object_id -privilege admin]
 
+set ad_return_url [ad_return_url]
 if { $return_url eq "" } {
-    set return_url [ad_return_url]
+    set return_url $ad_return_url
 }
 
-acs_object::get -object_id $object_id -array obj
-set object_name $obj(object_name)
-set context_id  $obj(context_id)
-set parent_object_name [acs_object_name $obj(context_id)]
 
+#
+# When "privs" are passed in from the <include...> as empty, take the
+# defaults. This way, it is still backward compatible and it does not
+# require that the caller needs to know the default privileges.
+#
+if {$privs eq ""} {
+    set privs { read create write delete admin }
+}
+
+set object_info [acs_object::get -object_id $object_id]
+set name               [dict get $object_info object_name]
+set security_inherit_p [dict get $object_info security_inherit_p]
+set context_id         [dict get $object_info context_id]
+if {$context_id == -3} {
+    #
+    # Legacy installations have #acs-kernel.Default_Context# set in
+    # cases, where newer instances have a NULL value.
+    #
+    set context_id ""
+}
+
 set elements [list]
-lappend elements grantee_name { 
+lappend elements grantee_name {
     label "[_ acs-subsite.Name]"
     link_url_col name_url
     display_template {
@@ -38,7 +74,9 @@
     }
 }
 
-foreach priv $privs { 
+set mainsite_p [expr {$object_id eq [subsite::main_site_id]}]
+
+foreach priv $privs {
     lappend select_clauses \
         "sum(ptab.${priv}_p) as ${priv}_p" \
         "(case when sum(ptab.${priv}_p) > 0 then 'checked' else '' end) as ${priv}_checked"
@@ -50,24 +88,35 @@
         [list \
              html { align center } \
              label [string totitle [string map {_ { }} [_ acs-subsite.$priv]]] \
-             display_template [subst {
+             display_template [subst -nocommands {
+               <if @permissions.grantee_id@ eq -1 and $mainsite_p eq 1>
+                 <if @permissions.${priv}_p@ eq 1>
+                   <adp:icon name="checkbox-checked" title="#acs-subsite.perm_cannot_be_removed#">
+                 </if>
+               </if><else>
                <if @permissions.${priv}_p@ ge 2>
-                 <img src="/shared/images/checkboxchecked.gif" style="border:0" height="13" width="13" alt="X" title="This permission is inherited, to remove, click the 'Do not inherit ...' button above.">
+                 <adp:icon name="checkbox-checked" title="#acs-subsite.Inherited_Permission-helptext#">
                </if>
                <else>
                  <input type="checkbox" name="perm" value="@permissions.grantee_id@,${priv}" @permissions.${priv}_checked@>
-               </else>
+               </else></else>
              }] \
             ]
 }
 
 # Remove all
 lappend elements remove_all {
-    html { align center } 
+    html { align center }
     label "[_ acs-subsite.Remove_All]"
-    display_template {<input type="checkbox" name="perm" value="@permissions.grantee_id@,remove">}
+    display_template {
+        <if @permissions.grantee_id@ eq -1 and $mainsite_p true>
+        </if><else>
+        <input type="checkbox" name="perm" value="@permissions.grantee_id@,remove">
+        </else>
+    }
 }
 
+#lappend elements grantee_id
 
 
 set perm_url "[ad_conn subsite_url]permissions/"
@@ -76,29 +125,44 @@
     set user_add_url "${perm_url}perm-user-add"
 }
 set user_add_url [export_vars -base $user_add_url {
-    object_id expanded {return_url "[ad_return_url]"}
+    object_id expanded {return_url $ad_return_url}
 }]
 
-set actions [list \
-                 [_ acs-subsite.Grant_Permission] \
-                 [export_vars -base "${perm_url}grant" {return_url application_url object_id}] \
-                 [_ acs-subsite.Grant_Permission] \
-                 [_ acs-subsite.Search_For_Exist_User] \
-                 $user_add_url \
-                 [_ acs-subsite.Search_For_Exist_User]]
+set actions {}
+if {$detailed_permissions_p} {
+    lappend actions \
+        [_ acs-subsite.Grant_Permission] \
+        [export_vars -base "${perm_url}grant" {return_url application_url object_id}] \
+        [_ acs-subsite.Grant_Permission]
+}
+lappend actions \
+    [_ acs-subsite.Grant_Permissions_to_Users] \
+    $user_add_url \
+    [_ acs-subsite.Grant_Permissions_to_Users-helptext]
 
+#
+# When there is no context_id given, do not offer to turn
+# security_inherit_p on or off.
+#
 if { $context_id ne "" } {
-    set inherit_p [permission::inherit_p -object_id $object_id]
+    #
+    # The variable "parent_object_name" is used in the following
+    # message keys:
+    #
+    #    lt_Do_not_inherit_from_p, lt_Inherit_from_parent_o,
+    #    lt_Inherit_permissions_f, lt_Stop_inheriting_permi
+    #
+    set parent_object_name [acs_object_name $context_id]
 
-    if { $inherit_p } {
+    if { $security_inherit_p } {
         lappend actions \
             [_ acs-subsite.lt_Do_not_inherit_from_p] \
-            [export_vars -base "${perm_url}toggle-inherit" {object_id {return_url [ad_return_url]}}] \
+            [export_vars -base "${perm_url}toggle-inherit" {object_id {return_url $ad_return_url}}] \
             [_ acs-subsite.lt_Stop_inheriting_permi]
     } else {
         lappend actions \
             [_ acs-subsite.lt_Inherit_from_parent_o] \
-            [export_vars -base "${perm_url}toggle-inherit" {object_id {return_url [ad_return_url]}}] \
+            [export_vars -base "${perm_url}toggle-inherit" {object_id {return_url $ad_return_url}}] \
             [_ acs-subsite.lt_Inherit_permissions_f]
     }
 }
@@ -128,12 +192,24 @@
 
 # 2 = has permission, not direct => inherited
 # 1 = has permission, it's direct => direct
-# -1 = no permission 
+# -1 = no permission
 
 # NOTE:
 # We do not include site-wide admins in the list
 
 db_multirow -extend { name_url } permissions permissions {} {
+    #
+    # In case, the message key resolves to an empty string, show this
+    # message key. An example is on my local instance, the
+    # automatically generated group title:
+    #
+    #    #acs-translations.group_title_XXXX#
+    #
+    if { [string match #*# $grantee_name] } {
+        if {[::lang::util::localize $grantee_name] eq ""} {
+            set grantee_name [string range $grantee_name 0 end-1]
+        }
+    }
     if { $object_type eq "user" && $grantee_id != 0 } {
         set name_url [acs_community_member_url -user_id $grantee_id]
     }