There are 3 permissions atm: read, write, and create_child. Each permission links a node to a group (you can set the same permission multiple times to different groups to set that permission for many groups).
Additionally, the system applies permissions in this order, with successive steps overwriting the prior steps iff a permission is set. Otherwise, the first step acts as a default for the node's permissions.
- the permissions of its parent
- explicitly inherited permissions
- permissions set directly on the node
What does explicitly inherited permissions
mean?
Alongside the three main permissions, an infinite set of derivative permissions exist: read_inherit, read_inherit_inherit, read_inherit_inherit_inherit, etc. When a node has an _inherit permission set on it, then it's like the child inherits that permission, except the last _inherit is removed. So a blog-node might have create_child = group_admins and create_child_inherit = group_all, which means that only admins can create child-nodes, but those child-nodes will have create_child = group_all set on it.