Allow inheritance at the permission level of each action for workflows using 'default'

[pallix]

When using 'Deny' with 'Everyone' role to specify an ACM, it is not possible to use inheritance to specify the other role's permissions for the action: since an user have one of the other roles will be also have everyone, 'Deny' will take precedence.

See #2236 for a concrete example of how it breaks.

[joka]

This should not happen because the ACL ist sorted, Everonye should be the last in the list and the other roles should match first. We should debug this with the referenced issue

[pallix]

It does not work because Deny for Everyone takes precedence in the ACL of the resource at depth n over Allow for Participant in the ACL of resource at depth n - 1.

Maybe the conversion to ACL is unexpected in its behavior with the 'defaults' flag and '~'.

'~' was initially for saying 'look up the ACL higher in the hierarchy'.

Now do we want to the semantic to say 'take the value of the default ACM' ?

[joka]

We should stick with the one semantic 'look up the ACL higher in the hierarchy'.

The natural way to express 'take the value of the default ACM' would be not to set the permission to role mapping, but this makes the merge code quite complicated, or?

[pallix]

I think it makes the logic a bit more complicate also, inclusive for the user, when one operator could have two different meaning.

That said we do not have a solution for (private) workflows to override only partially the permissions for an action.

Solution: introduce a new operator?! Much complexity for little gain.