Index: openacs-4/packages/acs-core-docs/www/permissions-tediously-explained.html
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/permissions-tediously-explained.html,v
diff -u -r1.1.2.1 -r1.1.2.2
--- openacs-4/packages/acs-core-docs/www/permissions-tediously-explained.html	24 Nov 2002 21:29:18 -0000	1.1.2.1
+++ openacs-4/packages/acs-core-docs/www/permissions-tediously-explained.html	20 Dec 2002 04:42:24 -0000	1.1.2.2
@@ -9,8 +9,8 @@
       of code and trying to understand exactly what went wrong.
       It is geared towards developers who understand the general permissions
       system to the extent that is described in the 
-      <a href="http://openacs.org/doc/openacs-4/developer-guide/permissions.html" target="_top">
-      OpenACS 4.x Permisisons documentation</a>,
+      <a href="http://openacs.org/doc/openacs-4/permissions.html" target="_top">
+      OpenACS 4.x Permissions documentation</a>,
       but who haven't had the opportunity to take a long, careful look at the
       system internals.
     </p><p>
@@ -86,7 +86,7 @@
       to store permission information explicitly about every object, i.e. if the system has 100,000 and 1,000 users
       who have the <span class="emphasis"><em>read</em></span> privilege on all objects, then we would need to store 100,000,000
       entries of the form: 
-    </p><div class="table"><a name="id2825369"></a><p class="title"><b>Table�5.1.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="center">object_id</th><th align="center">grantee_id</th><th align="center">privilege</th></tr></thead><tbody><tr><td align="center">object_id_1</td><td align="center">user_id_1</td><td align="center">'read'</td></tr><tr><td align="center">object_id_1</td><td align="center">user_id_2</td><td align="center">'read'</td></tr><tr><td colspan="3" align="center">...</td></tr><tr><td align="center">object_id_1</td><td align="center">user_id_n</td><td align="center">'read'</td></tr><tr><td align="center">object_id_2</td><td align="center">user_id_1</td><td align="center">'read'</td></tr><tr><td align="center">object_id_2</td><td align="center">user_id_2</td><td align="center">'read'</td></tr><tr><td colspan="3" align="center">...</td></tr><tr><td align="center">object_id_2</td><td align="center">user_id_n</td><td align="center">'read'</td></tr><tr><td colspan="3" align="center">...</td></tr><tr><td colspan="3" align="center">...</td></tr><tr><td align="center">object_id_m</td><td align="center">user_id_1</td><td align="center">'read'</td></tr><tr><td align="center">object_id_m</td><td align="center">user_id_2</td><td align="center">'read'</td></tr><tr><td colspan="3" align="center">...</td></tr><tr><td align="center">object_id_m</td><td align="center">user_id_n</td><td align="center">'read'</td></tr></tbody></table></div><p>
+    </p><div class="table"><a name="id2889269"></a><p class="title"><b>Table�5.1.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="center">object_id</th><th align="center">grantee_id</th><th align="center">privilege</th></tr></thead><tbody><tr><td align="center">object_id_1</td><td align="center">user_id_1</td><td align="center">'read'</td></tr><tr><td align="center">object_id_1</td><td align="center">user_id_2</td><td align="center">'read'</td></tr><tr><td colspan="3" align="center">...</td></tr><tr><td align="center">object_id_1</td><td align="center">user_id_n</td><td align="center">'read'</td></tr><tr><td align="center">object_id_2</td><td align="center">user_id_1</td><td align="center">'read'</td></tr><tr><td align="center">object_id_2</td><td align="center">user_id_2</td><td align="center">'read'</td></tr><tr><td colspan="3" align="center">...</td></tr><tr><td align="center">object_id_2</td><td align="center">user_id_n</td><td align="center">'read'</td></tr><tr><td colspan="3" align="center">...</td></tr><tr><td colspan="3" align="center">...</td></tr><tr><td align="center">object_id_m</td><td align="center">user_id_1</td><td align="center">'read'</td></tr><tr><td align="center">object_id_m</td><td align="center">user_id_2</td><td align="center">'read'</td></tr><tr><td colspan="3" align="center">...</td></tr><tr><td align="center">object_id_m</td><td align="center">user_id_n</td><td align="center">'read'</td></tr></tbody></table></div><p>
       Although quite feasible, this approach fails to take advantage of the fact
       that objects in the system are commonly organized hierarchally,
       and permissions usually follow the hierarchical structure, so that if user
@@ -101,7 +101,7 @@
     </p></div><div class="sect2"><div class="titlepage"><div><h3 class="title"><a name="permissions-tedious-context-hierarchy"></a>Context Hierarchy</h3></div></div><p>
       Suppose objects <span class="emphasis"><em>A</em></span>, <span class="emphasis"><em>B</em></span>, ..., 
       and <span class="emphasis"><em>F</em></span> form the following hierarchy. 
-    </p><div class="table"><a name="id2825737"></a><p class="title"><b>Table�5.2.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><tbody><tr><td colspan="3" align="center"><span class="bold"><b>A</b></span><p>
+    </p><div class="table"><a name="id2889641"></a><p class="title"><b>Table�5.2.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><tbody><tr><td colspan="3" align="center"><span class="bold"><b>A</b></span><p>
   	        <tt>object_id=10</tt>
               </p></td></tr><tr><td colspan="2" align="center"><span class="bold"><b>B</b></span><p>
   	        <tt>object_id=20</tt>
@@ -117,23 +117,23 @@
       This can be represented in the <tt>
       <a href="permissions-tediously-explained.html#acs_objects">acs_objects</a></tt> table
       by the following entries: 
-    </p><div class="table"><a name="id2825938"></a><p class="title"><b>Table�5.3.�</b></p><table border="1"><colgroup><col align="center"><col align="center"></colgroup><thead><tr><th align="center">object_id</th><th align="center">context_id</th></tr></thead><tbody><tr><td align="center">20</td><td align="center">10</td></tr><tr><td align="center">30</td><td align="center">10</td></tr><tr><td align="center">40</td><td align="center">20</td></tr><tr><td align="center">50</td><td align="center">20</td></tr><tr><td align="center">60</td><td align="center">30</td></tr></tbody></table></div><p>
+    </p><div class="table"><a name="id2889860"></a><p class="title"><b>Table�5.3.�</b></p><table border="1"><colgroup><col align="center"><col align="center"></colgroup><thead><tr><th align="center">object_id</th><th align="center">context_id</th></tr></thead><tbody><tr><td align="center">20</td><td align="center">10</td></tr><tr><td align="center">30</td><td align="center">10</td></tr><tr><td align="center">40</td><td align="center">20</td></tr><tr><td align="center">50</td><td align="center">20</td></tr><tr><td align="center">60</td><td align="center">30</td></tr></tbody></table></div><p>
       The first entry tells us that object 20 is the descendant of object 10, and
       the third entry shows that object 40 is the descendant of object 20. By
       running a <a href="http://www.oradoc.com/ora817/server.817/a85397/expressi.htm#1023748" target="_top">CONNECT BY</a> query,
       we can compute that object 40 is the second-generation descendant of object 10.
       With this in mind, if we want to record the fact that user Joe has the <span class="emphasis"><em>read</em></span> privilege on objects
       <span class="emphasis"><em>A</em></span>, ..., <span class="emphasis"><em>F</em></span>, we only need to record one entry in the
       <tt><a href="permissions-tediously-explained.html#acs_permissions">acs_permissions</a></tt> table. 
-    </p><div class="table"><a name="id2826094"></a><p class="title"><b>Table�5.4.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="center">object</th><th align="center">grantee</th><th align="center">privilege</th></tr></thead><tbody><tr><td align="center">A</td><td align="center">Joe</td><td align="center">read</td></tr></tbody></table></div><p>
+    </p><div class="table"><a name="id2890023"></a><p class="title"><b>Table�5.4.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="center">object</th><th align="center">grantee</th><th align="center">privilege</th></tr></thead><tbody><tr><td align="center">A</td><td align="center">Joe</td><td align="center">read</td></tr></tbody></table></div><p>
       The fact that Joe can also read <span class="emphasis"><em>B</em></span>, <span class="emphasis"><em>C</em></span>, 
       ..., and <span class="emphasis"><em>F</em></span> can be derived by ascertaining that these objects 
       are children of <span class="emphasis"><em>A</em></span> by traversing the context hierarchy.
       As it turns out, hierarchical queries are expensive.  As
       Rafael Schloming put it so aptly, <span class="emphasis"><em>Oracle can't deal with hierarchies for shit.</em></span> 
     </p><p>
       One way to solve this problem is to cache a flattened view of the context tree like so: 
-    </p><div class="table"><a name="id2826218"></a><p class="title"><b>Table�5.5.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="center">object</th><th align="center">ancestor</th><th align="center">n_generations</th></tr></thead><tbody><tr><td align="center">A</td><td align="center">A</td><td align="center">0</td></tr><tr><td align="center">B</td><td align="center">B</td><td align="center">0</td></tr><tr><td align="center">B</td><td align="center">A</td><td align="center">1</td></tr><tr><td align="center">C</td><td align="center">C</td><td align="center">0</td></tr><tr><td align="center">C</td><td align="center">A</td><td align="center">1</td></tr><tr><td align="center">D</td><td align="center">D</td><td align="center">0</td></tr><tr><td align="center">D</td><td align="center">B</td><td align="center">1</td></tr><tr><td align="center">D</td><td align="center">A</td><td align="center">2</td></tr><tr><td align="center">E</td><td align="center">E</td><td align="center">0</td></tr><tr><td align="center">E</td><td align="center">B</td><td align="center">1</td></tr><tr><td align="center">E</td><td align="center">A</td><td align="center">2</td></tr><tr><td align="center">F</td><td align="center">F</td><td align="center">0</td></tr><tr><td align="center">F</td><td align="center">C</td><td align="center">1</td></tr><tr><td align="center">F</td><td align="center">A</td><td align="center">2</td></tr></tbody></table></div><p>
+    </p><div class="table"><a name="id2890145"></a><p class="title"><b>Table�5.5.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="center">object</th><th align="center">ancestor</th><th align="center">n_generations</th></tr></thead><tbody><tr><td align="center">A</td><td align="center">A</td><td align="center">0</td></tr><tr><td align="center">B</td><td align="center">B</td><td align="center">0</td></tr><tr><td align="center">B</td><td align="center">A</td><td align="center">1</td></tr><tr><td align="center">C</td><td align="center">C</td><td align="center">0</td></tr><tr><td align="center">C</td><td align="center">A</td><td align="center">1</td></tr><tr><td align="center">D</td><td align="center">D</td><td align="center">0</td></tr><tr><td align="center">D</td><td align="center">B</td><td align="center">1</td></tr><tr><td align="center">D</td><td align="center">A</td><td align="center">2</td></tr><tr><td align="center">E</td><td align="center">E</td><td align="center">0</td></tr><tr><td align="center">E</td><td align="center">B</td><td align="center">1</td></tr><tr><td align="center">E</td><td align="center">A</td><td align="center">2</td></tr><tr><td align="center">F</td><td align="center">F</td><td align="center">0</td></tr><tr><td align="center">F</td><td align="center">C</td><td align="center">1</td></tr><tr><td align="center">F</td><td align="center">A</td><td align="center">2</td></tr></tbody></table></div><p>
       Note that the number of entries in the flattened view grows exponentially with
       respect to the depth of the context tree.  For instance, if you have a fully
       populated binary tree with a depth of <span class="emphasis"><em>n</em></span>, then the number of entries
@@ -204,7 +204,7 @@
       an object's <tt>security_inherit_p</tt> column to 'f', you can stop permissions
       from cascading down the context tree. In the following example, Joe does not have
       the read permissions on <span class="emphasis"><em>C</em></span> and <span class="emphasis"><em>F</em></span>. 
-    </p><div class="table"><a name="id2826845"></a><p class="title"><b>Table�5.6.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><tbody><tr><td colspan="3" align="center"><div class="literallayout"><p><br>
+    </p><div class="table"><a name="id2890804"></a><p class="title"><b>Table�5.6.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><tbody><tr><td colspan="3" align="center"><div class="literallayout"><p><br>
 <span class="bold"><b>A</b></span><br>
 <tt>object_id=10</tt><br>
 <span class="emphasis"><em>readable�by�Joe</em></span><br>
@@ -232,7 +232,7 @@
       Privileges are also organized hierarchically.  In addition to the five main system privileges
       defined in the ACS Kernel data model, application developers may define their own. For instance,
       the Bboard package defines the following privileges: 
-    </p><div class="table"><a name="id2827068"></a><p class="title"><b>Table�5.7.�</b></p><table border="1"><colgroup><col align="center"></colgroup><thead><tr><th align="center">privilege</th></tr></thead><tbody><tr><td align="center">create_category</td></tr><tr><td align="center">create_forum</td></tr><tr><td align="center">create_message</td></tr><tr><td align="center">delete_category</td></tr><tr><td align="center">delete_forum</td></tr><tr><td align="center">delete_message</td></tr><tr><td align="center">moderate_forum</td></tr><tr><td align="center">read_category</td></tr><tr><td align="center">read_forum</td></tr><tr><td align="center">read_message</td></tr><tr><td align="center">write_category</td></tr><tr><td align="center">write_forum</td></tr><tr><td align="center">write_message</td></tr></tbody></table></div><p>
+    </p><div class="table"><a name="id2891077"></a><p class="title"><b>Table�5.7.�</b></p><table border="1"><colgroup><col align="center"></colgroup><thead><tr><th align="center">privilege</th></tr></thead><tbody><tr><td align="center">create_category</td></tr><tr><td align="center">create_forum</td></tr><tr><td align="center">create_message</td></tr><tr><td align="center">delete_category</td></tr><tr><td align="center">delete_forum</td></tr><tr><td align="center">delete_message</td></tr><tr><td align="center">moderate_forum</td></tr><tr><td align="center">read_category</td></tr><tr><td align="center">read_forum</td></tr><tr><td align="center">read_message</td></tr><tr><td align="center">write_category</td></tr><tr><td align="center">write_forum</td></tr><tr><td align="center">write_message</td></tr></tbody></table></div><p>
       By defining parent-child relationship between privileges, the OpenACS data model
       makes it easier for developers to manage permissions.  Instead of granting
       a user explicit <span class="emphasis"><em>read</em></span>, <span class="emphasis"><em>write</em></span>, <span class="emphasis"><em>delete</em></span>, 
@@ -241,7 +241,7 @@
       privilege to which the first four privileges are tied. To give
       a more detailed example, the Bboard privileges are structured
       as follows.
-    </p><div class="table"><a name="id2827253"></a><p class="title"><b>Table�5.8.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"></colgroup><tbody><tr><td colspan="13" align="center">admin</td></tr><tr><td colspan="3" align="center">create</td><td colspan="3" align="center">delete</td><td colspan="3" align="center">read</td><td colspan="3" align="center">write</td><td rowspan="2" align="center" valign="middle">moderate forum</td></tr><tr><td align="center">create category</td><td align="center">create forum</td><td align="center">create message</td><td align="center">delete category</td><td align="center">delete forum</td><td align="center">delete message</td><td align="center">read category</td><td align="center">read forum</td><td align="center">read message</td><td align="center">write category</td><td align="center">write forum</td><td align="center">write message</td></tr></tbody></table></div><p>
+    </p><div class="table"><a name="id2891263"></a><p class="title"><b>Table�5.8.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"><col align="center"></colgroup><tbody><tr><td colspan="13" align="center">admin</td></tr><tr><td colspan="3" align="center">create</td><td colspan="3" align="center">delete</td><td colspan="3" align="center">read</td><td colspan="3" align="center">write</td><td rowspan="2" align="center" valign="middle">moderate forum</td></tr><tr><td align="center">create category</td><td align="center">create forum</td><td align="center">create message</td><td align="center">delete category</td><td align="center">delete forum</td><td align="center">delete message</td><td align="center">read category</td><td align="center">read forum</td><td align="center">read message</td><td align="center">write category</td><td align="center">write forum</td><td align="center">write message</td></tr></tbody></table></div><p>
       The parent-child relationship between privileges is represented in
       the <tt>acs_privilege_hierarchy</tt> table: 
     </p><a name="acs_privilege_hierarchy"></a><pre class="programlisting">
@@ -287,7 +287,7 @@
     </p></div><div class="sect2"><div class="titlepage"><div><h3 class="title"><a name="permissions-tedious-party-hierarchy"></a>Party Hierarchy</h3></div></div><p>
       Now for the third hierarchy playing a promiment role in the permission system. The party
       data model is set up as follows. 
-    </p><div class="table"><a name="id2827600"></a><p class="title"><b>Table�5.9.�</b></p><table border="1"><colgroup><col align="center"><col align="center"></colgroup><tbody><tr><td colspan="2" align="center"><a href="permissions-tediously-explained.html#tedious-parties">parties</a></td></tr><tr><td align="center"><a href="permissions-tediously-explained.html#persons">persons</a></td><td rowspan="2" align="center" valign="top"><a href="permissions-tediously-explained.html#groups">groups</a></td></tr><tr><td align="center"><a href="permissions-tediously-explained.html#users">users</a></td></tr></tbody></table></div><a name="tedious-parties"></a><pre class="programlisting">
+    </p><div class="table"><a name="id2891633"></a><p class="title"><b>Table�5.9.�</b></p><table border="1"><colgroup><col align="center"><col align="center"></colgroup><tbody><tr><td colspan="2" align="center"><a href="permissions-tediously-explained.html#tedious-parties">parties</a></td></tr><tr><td align="center"><a href="permissions-tediously-explained.html#persons">persons</a></td><td rowspan="2" align="center" valign="top"><a href="permissions-tediously-explained.html#groups">groups</a></td></tr><tr><td align="center"><a href="permissions-tediously-explained.html#users">users</a></td></tr></tbody></table></div><a name="tedious-parties"></a><pre class="programlisting">
   create table <span class="bold"><b>parties</b></span> (
       party_id
           not null
@@ -371,7 +371,7 @@
     </pre><p>
       The <tt><a href="permissions-tediously-explained.html#acs_rels">acs_rels</a></tt> 
       table entries would look like so: 
-    </p><div class="table"><a name="id2827978"></a><p class="title"><b>Table�5.10.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="center"><tt>rel_type</tt></th><th align="center"><tt>object_one</tt></th><th align="center"><tt>object_two</tt></th></tr></thead><tbody><tr><td align="center">
+    </p><div class="table"><a name="id2892076"></a><p class="title"><b>Table�5.10.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="center"><tt>rel_type</tt></th><th align="center"><tt>object_one</tt></th><th align="center"><tt>object_two</tt></th></tr></thead><tbody><tr><td align="center">
 	      membership_rel
 	    </td><td align="center">
 	      Pranksters
@@ -406,7 +406,7 @@
     </pre><p>
       The relevant entries in the 
       <tt><a href="permissions-tediously-explained.html#acs_rels">acs_rels</a></tt> look like so. 
-    </p><div class="table"><a name="id2828198"></a><p class="title"><b>Table�5.11.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="center"><tt>rel_type</tt></th><th align="center"><tt>object_one</tt></th><th align="center"><tt>object_two</tt></th></tr></thead><tbody><tr><td align="center">
+    </p><div class="table"><a name="id2892319"></a><p class="title"><b>Table�5.11.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="center"><tt>rel_type</tt></th><th align="center"><tt>object_one</tt></th><th align="center"><tt>object_two</tt></th></tr></thead><tbody><tr><td align="center">
 	      composition_rel
 	    </td><td align="center">
 	      Pranksters
@@ -617,7 +617,7 @@
     </pre><p>
       Note that in the above example, <tt>acs_permissions</tt> had only
       one entry that needed to be deleted: 
-    </p><div class="table"><a name="id2828836"></a><p class="title"><b>Table�5.12.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="center"><tt>object_id</tt></th><th align="center"><tt>grantee_id</tt></th><th align="center"><tt>privilege</tt></th></tr></thead><tbody><tr><td align="center">
+    </p><div class="table"><a name="id2893064"></a><p class="title"><b>Table�5.12.�</b></p><table border="1"><colgroup><col align="center"><col align="center"><col align="center"></colgroup><thead><tr><th align="center"><tt>object_id</tt></th><th align="center"><tt>grantee_id</tt></th><th align="center"><tt>privilege</tt></th></tr></thead><tbody><tr><td align="center">
 	      default_context
 	    </td><td align="center">
 	      registered_users

object_id	grantee_id	privilege
object_id_1	user_id_1	'read'
object_id_1	user_id_2	'read'
...
object_id_1	user_id_n	'read'
object_id_2	user_id_1	'read'
object_id_2	user_id_2	'read'
...
object_id_2	user_id_n	'read'
...
...
object_id_m	user_id_1	'read'
object_id_m	user_id_2	'read'
...
object_id_m	user_id_n	'read'