Removing Publish right
The Read/Write permissions by default allow for the user to be able to publish documents as well. Can you remove the right to publish from those who have Read/Write permissions?
I want the members to have read/write permissions, but I only want the Admin to be able to actually publish documents.
There is a “Can ask for publishing” that can be denied, but it does not work properly: http://answers.nuxeo.com/questions/10318/can-ask-for-publishing-permission-has-no-effect
This permission is intended to solve this problem: http://doc.nuxeo.com/plugins/viewsource/viewpagesrc.action?pageId=12099702
The “Can ask for publishing” permission is intended to be denied, so as to restrict the actions available to users with “Read” permission, typically to enable users to see the content of a section without being able to publish in the section.
Nuxeo 6.0 apparently solves the problem.
One should always consider the order of ACLs … although they have to be exported to be seen
I'm afraid it does not. If you read the post, you can see I tested declaring the deny privilege first.
Could you please test it with the Nuxeo VM and provide steps to get it working?
Anyway, if it worked, having to export the ACL to understand what privilege is granted does not seem as a desirable behaviour.