There are 3 permissions atm: read, write, and create_child. Each permission links a node to a group (you can set the same permission multiple times to different groups to set that permission for many groups).
Additionally, the system applies permissions in this order, with successive steps overwriting the prior steps iff a permission is set. Otherwise, the first step acts as a default for the node's permissions.
- the permissions of its parent
- explicitly inherited permissions
- permissions set directly on the node
explicitly inherited permissions mean?
Alongside the three main permissions, an infinite set of derivative permissions exist: read_inherit, read_inherit_inherit, read_inherit_inherit_inherit, etc. When a node has an _inherit permission set on it, then it's like the child inherits that permission, except the last
_inherit is removed. So a blog-node might have
create_child = group_admins and
create_child_inherit = group_all, which means that only admins can create child-nodes, but those child-nodes will have
create_child = group_all set on it.