About ownership of objects
You should make groups more like phpgacl ARO's
I mean: on creation of a user, a special group is created with a singleton user attached to it as well.
You'd have user (for instance gongo), belonging to groups
RegisteredUsers and "UserSingletonGroup:Gongo" or somthing similar that is not allowed for groupnames when you create groups, and so the groupname would not exist. It belongs to the user just as much as the user belongs to it.
When adding ownership, link to the group iso the user. For every object in the category/object hierarchy you create, allow ownership to be one of several: "UserSingletonGroup:Gongo" (logged in user's group), Anonymous group (not logged in) or any of the groups a user belongs to or any other group.
Access rights could be simplified in the case where you are the owner, or belong to a group that is owner of a certain object. You then have the access rights for all applicable actions of that object, without even any record being read or parsed for allowable actions.
If you are not in one of the owning groups, either implicitly or explicitly, you cannot assume permissions and you should parse the permissiontree to see if you can use something. Having no rights defined would result in a (soft) deny. Having a GRANT made on a parental object allows you to go for it. Having a DENY on some object and one group and later on a GRANT, grant will be the default action.
Having a grant and later a deny would result in a deny.
If on same level, then check the level of nesting: usersingletongroup is denied? deny right to action.
usersingletongroup is granted? grant right to action.
The one with the deepest nesting for the usersingletongroup is the one that loses out and the closest nesting prevails.
Anonymous is the parent group for all groups
It contains the anonymous user (the default when not logged in) and RegisteredUser.
RegisteredUser contains all UserSingletonGroups by default (they are added, and cannot be removed from it, nor can anonymous, admin and Anonymous/RegisteredUser).
User is only used to store user specific preferences and to create the extra group. Those preferences contain the tiki settings, the user's password, ...
;){kind=link}
;){kind=link}