Enhancement: being able to deny a permission

[chland]

This might sound a little bit strange as there are a deny_user() and a deny_group() function in the library but you aren't really able to deny a permission using AAuth. The deny-functions only removes a permission from a group/user but that is not the same as actually denying permissions.

Let me explain the problem:

Imagine a little app with a group called "authors". This group has multiple permissions like "article.edit", "article.create", "article.delete", etc. - now you've got a bunch of users who are all members of this group but there is this one guy that has a reputation of being stupid. And because of that you don't want him to be able to delete articles.

And thats a problem. The only way to do this using AAuth is by creating a second group called "stupid_authors" which has all the same permissions as "authors" but is missing the "article.delete"-permission.

The problem is that AAuth only keeps track of permissions that are "allowed" but not of permissions that are "denied". If you would store a "state" for each permission in the perm_to_group and perm_to_user tables this could easily be added. Set the state-field to 1 for permissions that are allowed and to 2 for permissions that are denied. If no entry is there, it should just work as today. Then, when you check if a gorup or user has a permission there are three possibilities:

1. somewhere in the perm_to_group/user tables there is an entry with "state=1"
2. somewhere in the perm_to_group/user tables there is an entry with "state=2"
3. there is no entry in any table

If either 2. or 3. is true, then the permission is denied.
If only 1. is true, then the permission is allowed.

[REJack]

That's a really great idea, I've never thinked about this but that is would be a great enhancement for Aauth.