4.9.3 Evaluation of the ACL: how is determined if someone gets access to a document

The determination of the authorisation of the various operations for a certain document happens as follows:

1. If the user is acting in the role of Administrator, the user has read and write rights. The ACL is not checked.
2. If the user is owner of the document, the user has read and write rights (the ACL is not checked). Publish rights are determined by the ACL.
3. If the document is marked as private and the user is not the owner of the document, all rights are denied. The ACL is not checked.
4. The ACL result is initialised to deny all access (read live, read, write, publish and delete), and the ACL is evaluated from top to bottom:
• If an object expression evaluates to true for the document, the access control entries belonging to that object specification are checked
• If the subject type and subject value of an access control entry matches, the permissions defined in that entry override any previous result
• The evaluation of the ACL does not stop at the first matching object or subject, but goes further till the bottom.
5. At the end of the ACL evaluation some further checks are performed:
• if the user does not have 'read live' rights, any other rights are denied too
• if the user does not have read rights, the write and publish rights are denied too
• if the user does not have write rights, the delete right is denied too.

Further notes:

• when saving a document, the ACL is always checked on the document currently stored, not on the newly edited document (unless it is a new document). This is because the ACL evaluation result can depend on the value of fields, and the user might have edited those fields to try to gain access to the document.
• A user cannot change a document in such a way that the user itself has no write rights anymore to the document, e.g. by changing collection membership or field values.
• The ACL is only concerned with authorisation of rights on documents. Other permissions, like who can manage users, change the ACL, create document types, etc... is simply managed via the Administrator role: users acting in the Administrator role can do all those, others can't.