Index: openacs-4/packages/acs-kernel/acs-kernel.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-kernel/acs-kernel.info,v
diff -u -N -r1.136.2.17 -r1.136.2.18
--- openacs-4/packages/acs-kernel/acs-kernel.info	5 Jul 2016 16:35:23 -0000	1.136.2.17
+++ openacs-4/packages/acs-kernel/acs-kernel.info	6 Jul 2016 13:47:02 -0000	1.136.2.18
@@ -9,15 +9,15 @@
     <implements-subsite-p>f</implements-subsite-p>
     <inherit-templates-p>t</inherit-templates-p>
     
-    <version name="5.9.1d11" url="http://openacs.org/repository/download/apm/acs-kernel-5.9.1d11.apm">
+    <version name="5.9.1d12" url="http://openacs.org/repository/download/apm/acs-kernel-5.9.1d12.apm">
         <owner url="mailto:oct@openacs.org">OpenACS Core Team</owner>
         <summary>Routines and data models providing the foundation for OpenACS-based Web services.</summary>
         <release-date>2016-07-05</release-date>
         <vendor url="http://openacs.org">OpenACS</vendor>
         <description format="text/html">The OpenACS kernel contains the core datamodel create and drop scripts for such things as objects, groups, partiies and the supporting PL/SQL and PL/pgSQL procedures.</description>
         <maturity>3</maturity>
 
-        <provides url="acs-kernel" version="5.9.1d11"/>
+        <provides url="acs-kernel" version="5.9.1d12"/>
 
         <callbacks>
         </callbacks>
Index: openacs-4/packages/acs-kernel/sql/postgresql/acs-permissions-create.sql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-kernel/sql/postgresql/acs-permissions-create.sql,v
diff -u -N -r1.39.2.4 -r1.39.2.5
--- openacs-4/packages/acs-kernel/sql/postgresql/acs-permissions-create.sql	6 Jul 2016 07:40:56 -0000	1.39.2.4
+++ openacs-4/packages/acs-kernel/sql/postgresql/acs-permissions-create.sql	6 Jul 2016 13:47:02 -0000	1.39.2.5
@@ -627,7 +627,8 @@
 BEGIN
     v_security_context_root := acs__magic_object_id('security_context_root');
 
-    RETURN QUERY WITH RECURSIVE
+    RETURN QUERY
+    WITH RECURSIVE
        object_context(obj_id, context_id, orig_obj_id) AS (
            SELECT p_object_id, p_object_id, p_object_id
            UNION ALL
@@ -655,7 +656,35 @@
 END; 
 $$ LANGUAGE plpgsql stable;
 
+--
+-- procedure acs_permission.permissions_all/1
+--
+CREATE OR REPLACE FUNCTION acs_permission.permissions_all(
+       p_object_id integer
+) RETURNS table (object_id integer, grantee_id integer, privilege varchar) AS $$
+DECLARE
+    v_security_context_root  integer;
+BEGIN
+    v_security_context_root := acs__magic_object_id('security_context_root');
 
+    RETURN QUERY
+    WITH RECURSIVE object_context(obj_id, context_id, orig_obj_id) AS (
+           SELECT p_object_id, p_object_id, p_object_id
+           UNION ALL
+           SELECT
+              ao.object_id,
+              CASE WHEN (ao.security_inherit_p = 'f' OR ao.context_id IS NULL) 
+              THEN v_security_context_root ELSE ao.context_id END, 
+              oc.orig_obj_id
+           FROM  object_context oc, acs_objects ao
+           WHERE ao.object_id = oc.context_id
+           AND   ao.object_id != v_security_context_root
+    )
+    select p_object_id, p.grantee_id, p.privilege
+    from object_context oc, acs_permissions p where p.object_id = oc.context_id;
+END;
+$$ LANGUAGE plpgsql stable;
+
 --
 -- procedure acs_permission.grant_permission/3
 --
Index: openacs-4/packages/acs-kernel/sql/postgresql/upgrade/upgrade-5.9.1d11-5.9.1d12.sql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-kernel/sql/postgresql/upgrade/upgrade-5.9.1d11-5.9.1d12.sql,v
diff -u -N
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ openacs-4/packages/acs-kernel/sql/postgresql/upgrade/upgrade-5.9.1d11-5.9.1d12.sql	6 Jul 2016 13:47:03 -0000	1.1.2.1
@@ -0,0 +1,29 @@
+--
+-- procedure acs_permission.permissions_all/1
+--
+CREATE OR REPLACE FUNCTION acs_permission.permissions_all(
+       p_object_id integer
+) RETURNS table (object_id integer, grantee_id integer, privilege varchar) AS $$
+DECLARE
+    v_security_context_root  integer;
+BEGIN
+    v_security_context_root := acs__magic_object_id('security_context_root');
+
+    RETURN QUERY
+    WITH RECURSIVE object_context(obj_id, context_id, orig_obj_id) AS (
+           SELECT p_object_id, p_object_id, p_object_id
+           UNION ALL
+           SELECT
+              ao.object_id,
+              CASE WHEN (ao.security_inherit_p = 'f' OR ao.context_id IS NULL) 
+              THEN v_security_context_root ELSE ao.context_id END, 
+              oc.orig_obj_id
+           FROM  object_context oc, acs_objects ao
+           WHERE ao.object_id = oc.context_id
+           AND   ao.object_id != v_security_context_root
+    )
+    select p_object_id, p.grantee_id, p.privilege
+    from object_context oc, acs_permissions p where p.object_id = oc.context_id;
+END;
+$$ LANGUAGE plpgsql stable;
+
Index: openacs-4/packages/acs-subsite/acs-subsite.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/acs-subsite.info,v
diff -u -N -r1.117.2.19 -r1.117.2.20
--- openacs-4/packages/acs-subsite/acs-subsite.info	5 Jul 2016 14:16:58 -0000	1.117.2.19
+++ openacs-4/packages/acs-subsite/acs-subsite.info	6 Jul 2016 13:47:03 -0000	1.117.2.20
@@ -9,7 +9,7 @@
     <implements-subsite-p>t</implements-subsite-p>
     <inherit-templates-p>t</inherit-templates-p>
     
-    <version name="5.9.1d4" url="http://openacs.org/repository/download/apm/acs-subsite-5.9.1d4.apm">
+    <version name="5.9.1d5" url="http://openacs.org/repository/download/apm/acs-subsite-5.9.1d5.apm">
         <owner url="http://openacs.org">OpenACS</owner>
         <summary>Subsite</summary>
         <release-date>2015-10-04</release-date>
@@ -18,10 +18,10 @@
         <license>GPL</license>
         <maturity>3</maturity>
 
-        <provides url="acs-subsite" version="5.9.1d4"/>
+        <provides url="acs-subsite" version="5.9.1d5"/>
         <requires url="acs-authentication" version="5.9.0"/>
         <requires url="acs-content-repository" version="5.9.0"/>
-        <requires url="acs-kernel" version="5.9.0"/>
+        <requires url="acs-kernel" version="5.9.1d12"/>
         <requires url="acs-tcl" version="5.9.1d7"/>
         <requires url="acs-lang" version="5.9.0"/>
         <requires url="acs-mail-lite" version="5.9.0"/>
Index: openacs-4/packages/acs-subsite/www/permissions/index-postgresql.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/index-postgresql.xql,v
diff -u -N -r1.5 -r1.5.24.1
--- openacs-4/packages/acs-subsite/www/permissions/index-postgresql.xql	16 Jan 2003 13:40:36 -0000	1.5
+++ openacs-4/packages/acs-subsite/www/permissions/index-postgresql.xql	6 Jul 2016 13:47:03 -0000	1.5.24.1
@@ -5,16 +5,15 @@
 
 <fullquery name="adminable_objects">      
       <querytext>
+
  select o.object_id, acs_object__name(o.object_id) as name, context_id, object_type,
-    (case when o.object_id = :root then 0 else 1 end) as child
-  from acs_objects o
-  where exists ( SELECT 1 
-                   FROM acs_permissions_all map 
-                  WHERE map.object_id = o.object_id
-                    and map.grantee_id = :user_id
-                    and map.privilege = 'admin')
-    and (o.object_id = :root or o.context_id = :root)
-    order by child, object_type, name
+    (case when o.object_id = '629' then 0 else 1 end) as child
+ from acs_permission.permission_p_recursive_array(array(
+     select object_id from acs_objects where object_id = :root or context_id = :root
+   ), :user_id, 'admin') p, acs_objects o
+ where p.orig_object_id = o.object_id
+ order by child, object_type, name
+ 
       </querytext>
 </fullquery>
 
Index: openacs-4/packages/acs-subsite/www/permissions/one-postgresql.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/one-postgresql.xql,v
diff -u -N -r1.7 -r1.7.18.1
--- openacs-4/packages/acs-subsite/www/permissions/one-postgresql.xql	24 Feb 2005 11:10:31 -0000	1.7
+++ openacs-4/packages/acs-subsite/www/permissions/one-postgresql.xql	6 Jul 2016 13:47:03 -0000	1.7.18.1
@@ -12,15 +12,13 @@
  
 <fullquery name="inherited_permissions">      
       <querytext>
-      
+
   select grantee_id, grantee_name, privilege
-  from (select grantee_id, acs_object__name(grantee_id) as grantee_name,
-               privilege, 1 as counter
-        from acs_permissions_all
-        where object_id = :object_id
+  from (
+	select grantee_id, acs_object__name(grantee_id) as grantee_name, privilege, 1 as counter
+	from acs_permission.permissions_all(:object_id)
         union all
-        select grantee_id, acs_object__name(grantee_id) as grantee_name,
-               privilege, -1 as counter
+        select grantee_id, acs_object__name(grantee_id) as grantee_name, privilege, -1 as counter
         from acs_permissions
         where object_id = :object_id ) dummy
   group by grantee_id, grantee_name, privilege
@@ -53,28 +51,31 @@
 
  
 <fullquery name="children">      
-      <querytext>
-      
-	select object_id as c_object_id,acs_object__name(object_id) as c_name, object_type as c_type
-	from acs_objects o
-	where context_id = :object_id
-              and exists (select 1
-                          from acs_permissions_all
-                          where object_id = o.object_id
-                          and grantee_id = :user_id
-                          and privilege = 'admin')    
-      </querytext>
+  <querytext>
+    
+  select
+    o.object_id as c_object_id,
+    acs_object__name(o.object_id) as c_name,
+    o.object_type as c_type
+  from
+    acs_permission.permission_p_recursive_array(array(
+       select object_id from acs_objects o where context_id = :object_id
+    ), :user_id, 'admin') p
+  join acs_objects o on (p.orig_object_id = o.object_id)
+			  
+  </querytext>
 </fullquery>
 
+
 <fullquery name="children_count">      
-      <querytext>
-      
-	select count(*) as num_children
-	from acs_objects o
-	where context_id = :object_id and
-            acs_permission__permission_p(o.object_id, :user_id, 'admin') = 't'
+  <querytext>
 
-      </querytext>
+  select count(*) as num_children
+  from acs_permission.permission_p_recursive_array(array(
+       select object_id from acs_objects o where context_id = :object_id
+    ), :user_id, 'admin')
+
+  </querytext>
 </fullquery>
  
 </queryset>
Index: openacs-4/packages/acs-subsite/www/permissions/one.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/one.tcl,v
diff -u -N -r1.17.2.4 -r1.17.2.5
--- openacs-4/packages/acs-subsite/www/permissions/one.tcl	28 Oct 2015 09:38:39 -0000	1.17.2.4
+++ openacs-4/packages/acs-subsite/www/permissions/one.tcl	6 Jul 2016 13:47:03 -0000	1.17.2.5
@@ -8,7 +8,7 @@
     @creation-date 2000-08-20
     @cvs-id $Id$
 } {
-    object_id:naturalnum,notnull
+    object_id:integer,notnull
     {children_p:boolean "f"}
     {application_url ""}
 }
@@ -30,11 +30,9 @@
 
 set context [list [list "./" [_ acs-subsite.Permissions]] [_ acs-subsite.Permissions_for_name]]
 
-db_multirow inherited inherited_permissions {} { 
-}
+db_multirow inherited inherited_permissions {} {}
 
-db_multirow acl acl {} {
-}
+db_multirow acl acl {} {}
 
 set controls [list]
 set controlsUrl [export_vars -base grant {application_url object_id}]
@@ -50,7 +48,7 @@
     lappend controls "<a href=\"[ns_quotehtml $toggleUrl]\">Inherit Permissions from [ns_quotehtml $context_name]</a>"
 }
 
-set controls "\[ [join $controls " | "] \]"
+set controls "\[ [join $controls { | }] \]"
 
 set export_form_vars [export_vars -form {object_id application_url}]
 
Index: openacs-4/packages/acs-subsite/www/permissions/perm-include-postgresql.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/perm-include-postgresql.xql,v
diff -u -N -r1.4.18.1 -r1.4.18.2
--- openacs-4/packages/acs-subsite/www/permissions/perm-include-postgresql.xql	3 Jul 2016 15:03:44 -0000	1.4.18.1
+++ openacs-4/packages/acs-subsite/www/permissions/perm-include-postgresql.xql	6 Jul 2016 13:47:03 -0000	1.4.18.2
@@ -24,8 +24,7 @@
            sum([join $privs "_p + "]_p) as any_perm_p_
     from   (select grantee_id,
                    [join $from_all_clauses ", "]
-            from   acs_permissions_all
-            where  object_id = :object_id
+            from   acs_permission.permissions_all(:object_id)
             union all
             select grantee_id,
                    [join $from_direct_clauses ", "]
Index: openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.xql,v
diff -u -N -r1.3 -r1.3.6.1
--- openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.xql	8 Jun 2010 21:15:41 -0000	1.3
+++ openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.xql	6 Jul 2016 13:47:03 -0000	1.3.6.1
@@ -15,16 +15,4 @@
       </querytext>
 </fullquery>
 
-<fullquery name="users_who_dont_have_any_permissions_paginator">
-      <querytext>
-
-    select u.user_id,
-           u.first_names || ' ' || u.last_name
-    from   cc_users u
-    where  u.user_id not in (select grantee_id from acs_permissions_all where object_id = :object_id)
-    order  by upper(first_names), upper(last_name)
-
-      </querytext>
-</fullquery>
-
 </queryset>