Some of you are very aware of the limitations of Elgg's access system, in particular not being able to use multiple ACLs natively.

A few of us have written plugins to make composite ACLs, by combining ACLs and updating the composite when a constituent parts change. I actually think, for most applications, this kludge is a winner: the underlying system stays lean and focused on the most common use case. However I think core should take over this responsibility by adding a new API to manage access on entities and ACLs.

Underneath the hood Elgg would need a new link table to denote dependencies between ACLs, and when an ACL was updated, it would build a list of ACLs that need updating and update them. I think also an is_composite bit would need to be added to the ACL table, because I would not want to allow composites to be built on other composites.

Devs would get an AclBuilder API that would allow constructing (or fetching) an ACL by specifying the constituents. Devs could use this directly or via an API on an entity, which would also set the entity's access_id to the composite one.

Thoughts?