Index: openacs-4/packages/acs-subsite/www/permissions/perm-include.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/perm-include.tcl,v
diff -u -r1.20.2.1 -r1.20.2.2
--- openacs-4/packages/acs-subsite/www/permissions/perm-include.tcl	24 Oct 2022 19:18:19 -0000	1.20.2.1
+++ openacs-4/packages/acs-subsite/www/permissions/perm-include.tcl	26 Oct 2022 14:20:35 -0000	1.20.2.2
@@ -9,21 +9,40 @@
     {object_id:integer}
     {return_url:localurl ""}
     {privs { read create write delete admin }}
+    {detailed_permissions_p:boolean f}
     {user_add_url:localurl ""}
 }
 
 set user_id [ad_conn user_id]
 set admin_p [permission::permission_p -object_id $object_id -privilege admin]
 
+set ad_return_url [ad_return_url]
 if { $return_url eq "" } {
-    set return_url [ad_return_url]
+    set return_url $ad_return_url
 }
 
-acs_object::get -object_id $object_id -array obj
-set object_name $obj(object_name)
-set context_id  $obj(context_id)
-set parent_object_name [acs_object_name $obj(context_id)]
 
+#
+# When "privs" are passed in from the <include...> as empty, take the
+# defaults. This way, it is still backward compatible and it does not
+# require that the caller needs to know the default privileges.
+#
+if {$privs eq ""} {
+    set privs { read create write delete admin }
+}
+
+set object_info [acs_object::get -object_id $object_id]
+set name               [dict get $object_info object_name]
+set security_inherit_p [dict get $object_info security_inherit_p]
+set context_id         [dict get $object_info context_id]
+if {$context_id == -3} {
+    #
+    # Legacy installations have #acs-kernel.Default_Context# set in
+    # cases, where newer instances have a NULL value.
+    #
+    set context_id ""
+}
+
 set elements [list]
 lappend elements grantee_name {
     label "[_ acs-subsite.Name]"
@@ -38,6 +57,8 @@
     }
 }
 
+set mainsite_p [expr {$object_id eq [subsite::main_site_id]}]
+
 foreach priv $privs {
     lappend select_clauses \
         "sum(ptab.${priv}_p) as ${priv}_p" \
@@ -51,12 +72,17 @@
              html { align center } \
              label [string totitle [string map {_ { }} [_ acs-subsite.$priv]]] \
              display_template [subst {
+               <if @permissions.grantee_id@ eq -1 and $mainsite_p eq 1>
+                 <if @permissions.${priv}_p@ eq 1>
+                   <adp:icon name="checkbox-checked" title="#acs-subsite.perm_cannot_be_removed#">
+                 </if>
+               </if><else>
                <if @permissions.${priv}_p@ ge 2>
-                 <adp:icon name="checkbox-checked" title="This permission is inherited, to remove, click the 'Do not inherit ...' button above.">
+                 <adp:icon name="checkbox-checked" title="#acs-subsite.Inherited_Permission-helptext#">
                </if>
                <else>
                  <input type="checkbox" name="perm" value="@permissions.grantee_id@,${priv}" @permissions.${priv}_checked@>
-               </else>
+               </else></else>
              }] \
             ]
 }
@@ -65,7 +91,12 @@
 lappend elements remove_all {
     html { align center }
     label "[_ acs-subsite.Remove_All]"
-    display_template {<input type="checkbox" name="perm" value="@permissions.grantee_id@,remove">}
+    display_template {
+        <if @permissions.grantee_id@ eq -1 and $mainsite_p true>
+        </if><else>
+        <input type="checkbox" name="perm" value="@permissions.grantee_id@,remove">
+        </else>
+    }
 }
 
 #lappend elements grantee_id
@@ -77,29 +108,44 @@
     set user_add_url "${perm_url}perm-user-add"
 }
 set user_add_url [export_vars -base $user_add_url {
-    object_id expanded {return_url "[ad_return_url]"}
+    object_id expanded {return_url $ad_return_url}
 }]
 
-set actions [list \
-                 [_ acs-subsite.Grant_Permission] \
-                 [export_vars -base "${perm_url}grant" {return_url application_url object_id}] \
-                 [_ acs-subsite.Grant_Permission] \
-                 [_ acs-subsite.Search_For_Exist_User] \
-                 $user_add_url \
-                 [_ acs-subsite.Search_For_Exist_User]]
+set actions {}
+if {$detailed_permissions_p} {
+    lappend actions \
+        [_ acs-subsite.Grant_Permission] \
+        [export_vars -base "${perm_url}grant" {return_url application_url object_id}] \
+        [_ acs-subsite.Grant_Permission]
+}
+lappend actions \
+    [_ acs-subsite.Grant_Permissions_to_Users] \
+    $user_add_url \
+    [_ acs-subsite.Grant_Permissions_to_Users-helptext]
 
+#
+# When there is no context_id given, do not offer to turn
+# security_inherit_p on or off.
+#
 if { $context_id ne "" } {
-    set inherit_p [permission::inherit_p -object_id $object_id]
+    #
+    # The variable "parent_object_name" is used the the following
+    # message keys:
+    #
+    #    lt_Do_not_inherit_from_p, lt_Inherit_from_parent_o,
+    #    lt_Inherit_permissions_f, lt_Stop_inheriting_permi
+    #
+    set parent_object_name [acs_object_name $context_id]
 
-    if { $inherit_p } {
+    if { $security_inherit_p } {
         lappend actions \
             [_ acs-subsite.lt_Do_not_inherit_from_p] \
-            [export_vars -base "${perm_url}toggle-inherit" {object_id {return_url [ad_return_url]}}] \
+            [export_vars -base "${perm_url}toggle-inherit" {object_id {return_url $ad_return_url}}] \
             [_ acs-subsite.lt_Stop_inheriting_permi]
     } else {
         lappend actions \
             [_ acs-subsite.lt_Inherit_from_parent_o] \
-            [export_vars -base "${perm_url}toggle-inherit" {object_id {return_url [ad_return_url]}}] \
+            [export_vars -base "${perm_url}toggle-inherit" {object_id {return_url $ad_return_url}}] \
             [_ acs-subsite.lt_Inherit_permissions_f]
     }
 }