Index: openacs-4/packages/acs-subsite/acs-subsite.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/acs-subsite.info,v
diff -u -r1.131.2.32 -r1.131.2.33
--- openacs-4/packages/acs-subsite/acs-subsite.info	24 Oct 2022 09:42:07 -0000	1.131.2.32
+++ openacs-4/packages/acs-subsite/acs-subsite.info	26 Oct 2022 14:20:35 -0000	1.131.2.33
@@ -9,7 +9,7 @@
     <implements-subsite-p>t</implements-subsite-p>
     <inherit-templates-p>t</inherit-templates-p>
 
-    <version name="5.10.1d8" url="http://openacs.org/repository/download/apm/acs-subsite-5.10.1d8.apm">
+    <version name="5.10.1d9" url="http://openacs.org/repository/download/apm/acs-subsite-5.10.1d9.apm">
         <owner url="http://openacs.org">OpenACS</owner>
         <summary>Subsite</summary>
         <release-date>2021-09-15</release-date>
@@ -18,7 +18,7 @@
         <license>GPL</license>
         <maturity>3</maturity>
 
-        <provides url="acs-subsite" version="5.10.1d8"/>
+        <provides url="acs-subsite" version="5.10.1d9"/>
         <requires url="acs-authentication" version="5.10.0"/>
         <requires url="acs-content-repository" version="5.10.0"/>
         <requires url="acs-kernel" version="5.10.0"/>
Index: openacs-4/packages/acs-subsite/catalog/acs-subsite.de_DE.ISO-8859-1.xml
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/catalog/acs-subsite.de_DE.ISO-8859-1.xml,v
diff -u -r1.31.2.11 -r1.31.2.12
--- openacs-4/packages/acs-subsite/catalog/acs-subsite.de_DE.ISO-8859-1.xml	30 Aug 2022 15:40:28 -0000	1.31.2.11
+++ openacs-4/packages/acs-subsite/catalog/acs-subsite.de_DE.ISO-8859-1.xml	26 Oct 2022 14:20:35 -0000	1.31.2.12
@@ -212,13 +212,17 @@
   <msg key="Go_back">Zur�ck</msg>
   <msg key="go_upload_the_users_por">Profilbild hochladen</msg>
   <msg key="go_upload_your_portrait">ein Profilbild hochladen.</msg>
+  <msg key="Confirm_Permissions">Best�tige Berechtigungen</msg>
+  <msg key="Filter_username_and_email">Suche nach Benutzername und E-Mail-Adresse</msg>
   <msg key="Grant">Erteilen</msg>
   <msg key="Grant_Permission">Berechtigungen erteilen</msg>
+  <msg key="Grant_Permissions_to_Users">Berechtigungen f�r Benutzer hinzuf�gen</msg>
+  <msg key="Grant_Permissions_to_Users-helptext">W�hlen Sie Benutzer aus, die berechigt werden sollen</msg>
+  <msg key="Group_Types">Gruppentypen</msg>
   <msg key="Group_administration">Gruppenadministration</msg>
   <msg key="Group_members">Mitglieder der Gruppe: %group_name%</msg>
   <msg key="Group_type">Gruppentyp</msg>
   <msg key="Group_type_administration">Administration Gruppentyp</msg>
-  <msg key="Group_Types">Gruppentypen</msg>
   <msg key="Groups">Gruppen</msg>
   <msg key="Groups_of_this_type">Gruppen dieses Typs</msg>
   <msg key="Have_group_mail">Eine Gruppe mit dieser E-Mail-Adresse existiert bereits.</msg>
@@ -230,10 +234,11 @@
   <msg key="Host_Node_Map">Host-Node Map</msg>
   <msg key="Hostname">Hostname</msg>
   <msg key="Hostname_must_be_unique">Hostname muss eindeutig sein</msg>
-  <msg key="icon_of_envelope">Briefumschlag-Symbol </msg>
   <msg key="If_you_were_to">Wenn Sie sich anmelden </msg>
   <msg key="Information_Updated">Die Information wurde aktualisiert.</msg>
+  <msg key="Inherited_Permission-helptext">Diese Berechtigung ist vererebt, um sie zu l�schen, klicke auf &#34;Nicht vererben ...&#34;</msg>
   <msg key="Install_locales">Sprachen installieren</msg>
+  <msg key="icon_of_envelope">Briefumschlag-Symbol </msg>
   <msg key="Invite">Einladen</msg>
   <msg key="Invite_a_user">Benutzer einladen</msg>
   <msg key="ISO_Code">ISO-Code</msg>
@@ -396,10 +401,11 @@
   <msg key="Password_changed_subject">Passwort ge�ndert</msg>
   <msg key="Password_regular_change_now">Ihr Passwort muss regelm�ssig ge�ndert werden.  Bitte �ndern Sie jetzt ihr Passwort.</msg>
   <msg key="Passwords_dont_match">Passw�rter stimmen nicht �berein</msg>
-  <msg key="perm_cannot_be_removed">Die Erlaubnis kann nicht wieder zur�ckgenommen werden.</msg>
   <msg key="Permissions">Berechtigungen</msg>
-  <msg key="permissions">Berechtigungen</msg>
+  <msg key="Permissions_Updated">Die Berechtigungen wurden aktualisiert.</msg>  
   <msg key="Permissions_for_name">Zugriffsberechtigungen f�r %name%</msg>
+  <msg key="perm_cannot_be_removed">Diese Berechtigung kann nicht entzogen werden.</msg>
+  <msg key="permissions">Berechtigungen</msg>
   <msg key="Place_of_birth">Geburtsort</msg>
   <msg key="Place_of_residence">Aufenthaltsort</msg>
   <msg key="Please_return_to_home">Bitte gehen Sie zur�ck zu %home_link%.</msg>
Index: openacs-4/packages/acs-subsite/catalog/acs-subsite.en_US.ISO-8859-1.xml
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/catalog/acs-subsite.en_US.ISO-8859-1.xml,v
diff -u -r1.97.2.4 -r1.97.2.5
--- openacs-4/packages/acs-subsite/catalog/acs-subsite.en_US.ISO-8859-1.xml	30 Aug 2022 11:13:50 -0000	1.97.2.4
+++ openacs-4/packages/acs-subsite/catalog/acs-subsite.en_US.ISO-8859-1.xml	26 Oct 2022 14:20:35 -0000	1.97.2.5
@@ -230,18 +230,20 @@
   <msg key="First_select_the_supertype">First, select the supertype for the new relationship type</msg>
   <msg key="Forgot_your_password">Forgot your password?</msg>
   <msg key="forum_moderate">Forum moderate</msg>
+  <msg key="Confirm_Permissions">Confirm Permissions</msg>
+  <msg key="Filter_username_and_email">Filter for username and email</msg>
   <msg key="Frequency">Frequency</msg>
   <msg key="Gender">Gender</msg>
   <msg key="Go_back">Go back</msg>
-  <msg key="go_upload_the_users_por">go upload the user&#39;s portrait</msg>
-  <msg key="go_upload_your_portrait">go upload your portrait</msg>
   <msg key="Grant">Grant</msg>
   <msg key="Grant_Permission">Grant Permission</msg>
+  <msg key="Grant_Permissions_to_Users">Grant Permissions to Users</msg>
+  <msg key="Grant_Permissions_to_Users-helptext">Select users to grant these permissions</msg>
+  <msg key="Group_Types">Group Types</msg>
   <msg key="Group_administration">Group administration</msg>
   <msg key="Group_members">Members of Group: %group_name%</msg>
   <msg key="Group_type">Group type</msg>
   <msg key="Group_type_administration">Group type administration</msg>
-  <msg key="Group_Types">Group Types</msg>
   <msg key="Groups">Groups</msg>
   <msg key="Groups_of_this_type">Groups of this type</msg>
   <msg key="Have_group_mail">We already have a group with this email</msg>
@@ -253,11 +255,14 @@
   <msg key="Host_Node_Map">Host-Node Map</msg>
   <msg key="Hostname">Hostname</msg>
   <msg key="Hostname_must_be_unique">Hostname must be unique</msg>
-  <msg key="icon_of_envelope">Icon of envelope</msg>
   <msg key="If_you_were_to">If you were to</msg>
-  <msg key="Information_Updated">Information Updated</msg>
+  <msg key="Information_Updated">Information updated</msg>
+  <msg key="Inherited_Permission-helptext">This permission is inherited, to remove, click the &#34;Do not inherit ...&#34; button above.</msg>
   <msg key="Install_locales">Install Locales</msg>
   <msg key="Invite">Invite</msg>
+  <msg key="go_upload_the_users_por">go upload the user&#39;s portrait</msg>
+  <msg key="go_upload_your_portrait">go upload your portrait</msg>
+  <msg key="icon_of_envelope">Icon of envelope</msg>
   <msg key="Invite_a_user">Invite a user</msg>
   <msg key="ISO_Code">ISO Code</msg>
   <msg key="ISO_Code_List">ISO Code List</msg>
@@ -469,10 +474,11 @@
   <msg key="Password_regular_change_now">Your password must be changed
   regularly. Please change your password now.</msg>
   <msg key="Passwords_dont_match">Passwords don&#39;t match</msg>
-  <msg key="perm_cannot_be_removed">This permission cannot be removed.</msg>
   <msg key="Permissions">Permissions</msg>
-  <msg key="permissions">permissions</msg>
+  <msg key="Permissions_Updated">Permissions updated.</msg>  
   <msg key="Permissions_for_name">Permissions for %name%</msg>
+  <msg key="perm_cannot_be_removed">This permission cannot be removed.</msg>
+  <msg key="permissions">permissions</msg>
   <msg key="Place_of_birth">Place of birth</msg>
   <msg key="Place_of_residence">Place of residence</msg>
   <msg key="Please_return_to_home">Please return to %home_link%.</msg>
Index: openacs-4/packages/acs-subsite/tcl/application-group-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/tcl/application-group-procs.tcl,v
diff -u -r1.23.2.2 -r1.23.2.3
--- openacs-4/packages/acs-subsite/tcl/application-group-procs.tcl	12 Sep 2022 14:31:53 -0000	1.23.2.2
+++ openacs-4/packages/acs-subsite/tcl/application-group-procs.tcl	26 Oct 2022 14:20:35 -0000	1.23.2.3
@@ -365,7 +365,7 @@
     -node_id:required
     {-package_key ""}
 } {
-    DEPRECATED: as of 2022-09-12 this api is not used in upstream
+    DEPRECATED: as of 2022-09-12 this API is not used in upstream
     codebase, and was still undocumented.
 } {
     set group_list [list]
Index: openacs-4/packages/acs-subsite/www/admin/object-types/alphabetical-index.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/admin/object-types/alphabetical-index.tcl,v
diff -u -r1.7 -r1.7.2.1
--- openacs-4/packages/acs-subsite/www/admin/object-types/alphabetical-index.tcl	7 Aug 2017 23:47:58 -0000	1.7
+++ openacs-4/packages/acs-subsite/www/admin/object-types/alphabetical-index.tcl	26 Oct 2022 14:20:35 -0000	1.7.2.1
@@ -1,6 +1,6 @@
 ad_page_contract {
 
-    Index of all object types (alphabetical, not hierarchichal)
+    Index of all object types (alphabetical, not hierarchical)
 
     @author Yonatan Feldman (yon@arsdigita.com)
     @creation-date August 15, 2000
Index: openacs-4/packages/acs-subsite/www/admin/site-map/index.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/admin/site-map/index.tcl,v
diff -u -r1.34 -r1.34.2.1
--- openacs-4/packages/acs-subsite/www/admin/site-map/index.tcl	21 Oct 2018 17:36:23 -0000	1.34
+++ openacs-4/packages/acs-subsite/www/admin/site-map/index.tcl	26 Oct 2022 14:20:35 -0000	1.34.2.1
@@ -246,7 +246,7 @@
     # Values for expand_mode:
     #  0: no children
     #  1: has children, node is not open
-    #  2: has chilren, node is open
+    #  2: has children, node is open
     #
     set expand_mode 0
     if {!$root_p && $n_children > 0} {
Index: openacs-4/packages/acs-subsite/www/members/user-new.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/members/user-new.tcl,v
diff -u -r1.14 -r1.14.2.1
--- openacs-4/packages/acs-subsite/www/members/user-new.tcl	28 Sep 2018 18:43:09 -0000	1.14
+++ openacs-4/packages/acs-subsite/www/members/user-new.tcl	26 Oct 2022 14:20:35 -0000	1.14.2.1
@@ -70,7 +70,7 @@
                 #
                 # TODO: Move this to the form, by moving the form to an include template
                 #
-                ad_return_complaint 1 "<li>User has an acccount on the system, but has been removed from the main site. Only a site-wide administrator can re-add the user."
+                ad_return_complaint 1 "<li>User has an account on the system, but has been removed from the main site. Only a site-wide administrator can re-add the user."
                 ad_script_abort
             }
         }
Index: openacs-4/packages/acs-subsite/www/permissions/one-oracle.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/one-oracle.xql,v
diff -u -r1.8 -r1.8.2.1
--- openacs-4/packages/acs-subsite/www/permissions/one-oracle.xql	20 Jun 2018 09:56:19 -0000	1.8
+++ openacs-4/packages/acs-subsite/www/permissions/one-oracle.xql	26 Oct 2022 14:20:35 -0000	1.8.2.1
@@ -22,6 +22,25 @@
       </querytext>
 </fullquery>
 
+<fullquery name="nr_inherited_permissions">
+      <querytext>
+select count(*) from (
+  select grantee_id, grantee_name, privilege
+  from (select grantee_id, acs_object.name(grantee_id) as grantee_name,
+               privilege, 1 as counter
+        from acs_permissions_all
+        where object_id = :object_id
+        union all
+        select grantee_id, acs_object.name(grantee_id) as grantee_name,
+               privilege, -1 as counter
+        from acs_permissions
+        where object_id = :object_id )
+  group by grantee_id, grantee_name, privilege
+  having sum(counter) > 0
+) as counts
+      </querytext>
+</fullquery>
+
 <fullquery name="children">      
       <querytext>
       
Index: openacs-4/packages/acs-subsite/www/permissions/one-postgresql.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/one-postgresql.xql,v
diff -u -r1.9 -r1.9.2.1
--- openacs-4/packages/acs-subsite/www/permissions/one-postgresql.xql	20 Jun 2018 09:56:19 -0000	1.9
+++ openacs-4/packages/acs-subsite/www/permissions/one-postgresql.xql	26 Oct 2022 14:20:35 -0000	1.9.2.1
@@ -20,6 +20,24 @@
       </querytext>
 </fullquery>
 
+<fullquery name="nr_inherited_permissions">
+      <querytext>
+select count(*) from (
+  select grantee_id, grantee_name, privilege
+  from (
+	select grantee_id, acs_object__name(grantee_id) as grantee_name, privilege, 1 as counter
+	from acs_permission.permissions_all(:object_id)
+        union all
+        select grantee_id, acs_object__name(grantee_id) as grantee_name, privilege, -1 as counter
+        from acs_permissions
+        where object_id = :object_id ) dummy
+  group by grantee_id, grantee_name, privilege
+  having sum(counter) > 0
+) as counts
+      </querytext>
+</fullquery>
+
+
 <fullquery name="children">      
   <querytext>
     
Index: openacs-4/packages/acs-subsite/www/permissions/one.adp
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/one.adp,v
diff -u -r1.15 -r1.15.2.1
--- openacs-4/packages/acs-subsite/www/permissions/one.adp	17 Jul 2018 18:30:29 -0000	1.15
+++ openacs-4/packages/acs-subsite/www/permissions/one.adp	26 Oct 2022 14:20:35 -0000	1.15.2.1
@@ -2,40 +2,57 @@
   <property name="doc(title)">#acs-subsite.Permissions_for_name#</property>
   <property name="context">@context;literal@</property>
 
-  <h3>#acs-subsite.lt_Inherited_Permissions#</h3>
-  <if @inherited:rowcount;literal@ gt 0>
-    <ul>
-      <multiple name="inherited">
-        <li>@inherited.grantee_name@, @inherited.privilege@</li>
-      </multiple>
-    </ul>
-  </if>
-  <else>
-    <p><em>#acs-subsite.none#</em></p>
-  </else>
+  <p>[ <a href="@toggle_view_href@">@toggle_view_label@</a> ]</p>
   <h3>#acs-subsite.Direct_Permissions#</h3>
-  <if @acl:rowcount;literal@ gt 0>
-    <form method="get" action="revoke">
-      @export_form_vars;noquote@
-      <multiple name="acl">
-        <if @mainsite_p@ true and @acl.grantee_id@ eq "-1">
-	<div>@acl.grantee_name@, @acl.privilege@ <strong>#acs-subsite.perm_cannot_be_removed#</strong></div>
-	</if>
-        <else>
-          <input type="checkbox" name="revoke_list" value="@acl.grantee_id@ @acl.privilege@" 
-            id="check_@acl.grantee_id@_@acl.privilege@">
+
+  <if @detail_p;literal@ true>
+    <if @acl:rowcount;literal@ gt 0>
+      <form method="get" action="revoke">
+        @export_form_vars;noquote@
+        <multiple name="acl">
+          <if @mainsite_p@ true and @acl.grantee_id@ eq "-1">
+            <div>@acl.grantee_name@, @acl.privilege@ <strong>#acs-subsite.perm_cannot_be_removed#</strong></div>
+	  </if>
+          <else>
+            <input type="checkbox" name="revoke_list" value="@acl.grantee_id@ @acl.privilege@" 
+              id="check_@acl.grantee_id@_@acl.privilege@">
             <label for="check_@acl.grantee_id@_@acl.privilege@">@acl.grantee_name@, @acl.privilege@</label><br>
-        </else>
-      </multiple>
+          </else>
+        </multiple>
+    </if>
+    <else>
+      <p><em>#acs-subsite.none#</em></p>
+    </else>
+    <if @acl:rowcount;literal@ gt 0>
+      <div><input type="submit" value="#acs-subsite.Revoke_Checked#"></div>
+      </form>
+    </if>
+  @controls;noquote@
+  </if><else>
+    <include src="/packages/acs-subsite/www/permissions/perm-include" &="object_id" &="return_url" &="privs">
+  </else>
+    
+  <h3>#acs-subsite.lt_Inherited_Permissions#</h3>
+
+  <if @inherited_permissions_p;literal@ false>
+    <p>@nr_inherited_permissions@ #acs-subsite.lt_Inherited_Permissions#
+    [<a href="@show_inherited_permissions_href@">#acs-subsite.Show#</a>]
   </if>
   <else>
-    <p><em>#acs-subsite.none#</em></p>
+    <p>@nr_inherited_permissions@ #acs-subsite.lt_Inherited_Permissions#
+    [<a href="@hide_inherited_permissions_href@">#acs-subsite.Hide#</a>]
+    <if @inherited:rowcount;literal@ gt 0>
+      <ul>
+        <multiple name="inherited">
+          <li>@inherited.grantee_name@, @inherited.privilege@</li>
+        </multiple>
+      </ul>
+    </if>
+    <else>
+      <p><em>#acs-subsite.none#</em></p>
+    </else>
   </else>
-  <if @acl:rowcount;literal@ gt 0>
-    <div><input type="submit" value="#acs-subsite.Revoke_Checked#"></div>
-    </form>
-  </if>
-  @controls;noquote@
+   
 
   <h3>#acs-subsite.Children#</h3>
   <if @children_p;literal@ true>
Index: openacs-4/packages/acs-subsite/www/permissions/one.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/one.tcl,v
diff -u -r1.21.2.1 -r1.21.2.2
--- openacs-4/packages/acs-subsite/www/permissions/one.tcl	3 Sep 2019 07:45:04 -0000	1.21.2.1
+++ openacs-4/packages/acs-subsite/www/permissions/one.tcl	26 Oct 2022 14:20:35 -0000	1.21.2.2
@@ -6,35 +6,53 @@
 
     @author rhs@mit.edu
     @creation-date 2000-08-20
-    @cvs-id $Id$
 } {
     object_id:integer,notnull
     {children_p:boolean "f"}
+    {detail_p:boolean "f"}
+    {privs:nohtml ""}
+    {inherited_permissions_p:boolean "f"}
     {application_url ""}
 }
 
 set user_id [auth::require_login]
 permission::require_permission -object_id $object_id -privilege admin
 
-# RBM: Check if this is the Main Site and prevent the user from being
-#      able to remove Read permission on "The Public" and locking
-#      him/herself out.
-if {$object_id eq [subsite::main_site_id]} {
-    set mainsite_p 1
-} else {
-    set mainsite_p 0
-}
+set show_inherited_permissions_href [export_vars -base one {object_id children_p {inherited_permissions_p t}}]
+set hide_inherited_permissions_href [export_vars -base one {object_id children_p {inherited_permissions_p f}}]
 
+# Check if this is the Main Site and prevent the user from being
+# able to remove Read permission on "The Public" and locking
+# everybody (including him/herself) out.
 
-acs_object::get -object_id $object_id -array obj
-set name               $obj(object_name)
-set context_id         $obj(context_id)
-set security_inherit_p $obj(security_inherit_p)
+set mainsite_p [expr {$object_id eq [subsite::main_site_id]}]
 
+set object_info [acs_object::get -object_id $object_id]
+set name               [dict get $object_info object_name]
+set security_inherit_p [dict get $object_info security_inherit_p]
+set context_id         [dict get $object_info context_id]
+if {$context_id == -3} {
+    #
+    # Legacy installations have #acs-kernel.Default_Context# set in
+    # cases, where newer instances have a NULL value.
+    #
+    set context_id ""
+}
+
 set context [list [list "./" [_ acs-subsite.Permissions]] [_ acs-subsite.Permissions_for_name]]
+set toggle_view_vars {object_id privs children_p inherited_permissions_p}
+if {$detail_p} {
+    lappend toggle_view_vars {detail_p 0}
+    set toggle_view_label "Show permissions as table"
+} else {
+    lappend toggle_view_vars {detail_p 1}
+    set toggle_view_label "Show permissions as list"
+}
+set toggle_view_href [export_vars -base one $toggle_view_vars]
 
-db_multirow inherited inherited_permissions {} {}
+set nr_inherited_permissions [db_string nr_inherited_permissions {}]
 
+db_multirow inherited inherited_permissions {} {}
 db_multirow -extend {grantee_name} acl acl {
     select grantee_id, privilege
     from acs_permissions
@@ -47,13 +65,15 @@
 set controlsUrl [export_vars -base grant {application_url object_id}]
 lappend controls "<a href=\"[ns_quotehtml $controlsUrl]\">[ns_quotehtml [_ acs-subsite.Grant_Permission]]</a>"
 
-set context_name [lang::util::localize [acs_object_name $context_id]]
 
-set toggleUrl [export_vars -base toggle-inherit {application_url object_id}]
-if { $security_inherit_p == "t" && $context_id ne "" } {
-    lappend controls "<a href=\"[ns_quotehtml $toggleUrl]\">Don't Inherit Permissions from [ns_quotehtml $context_name]</a>"
-} else {
-    lappend controls "<a href=\"[ns_quotehtml $toggleUrl]\">Inherit Permissions from [ns_quotehtml $context_name]</a>"
+if {$context_id ne ""} {
+    set context_name [lang::util::localize [acs_object_name $context_id]]
+    set toggleUrl [export_vars -base toggle-inherit {application_url object_id}]
+    if { $security_inherit_p == "t" && $context_id ne "" } {
+        lappend controls "<a href='[ns_quotehtml $toggleUrl]'>Don't Inherit Permissions from [ns_quotehtml $context_name]</a>"
+    } else {
+        lappend controls "<a href='[ns_quotehtml $toggleUrl]'>Inherit Permissions from [ns_quotehtml $context_name]</a>"
+    }
 }
 
 set controls "\[ [join $controls { | }] \]"
@@ -64,8 +84,7 @@
 set hide_children_url [export_vars -base one {object_id application_url {children_p f}}]
 
 if {$children_p == "t"} {
-    db_multirow children children {} {
-    }
+    db_multirow children children {} {}
 } else {
     db_1row children_count {} 
 }
Index: openacs-4/packages/acs-subsite/www/permissions/perm-include.adp
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/perm-include.adp,v
diff -u -r1.5 -r1.5.14.1
--- openacs-4/packages/acs-subsite/www/permissions/perm-include.adp	3 Jan 2008 19:05:23 -0000	1.5
+++ openacs-4/packages/acs-subsite/www/permissions/perm-include.adp	26 Oct 2022 14:20:35 -0000	1.5.14.1
@@ -2,7 +2,7 @@
   @perm_form_export_vars;noquote@
   <listtemplate name="permissions"></listtemplate>
   <p>
-    <input type="submit" value="#acs-subsite.Confirm#">
+    <input type="submit" value="#acs-subsite.Confirm_Permissions#" class="btn btn-outline-secondary text-decoration-none">
   </p>
 </form>
 
Index: openacs-4/packages/acs-subsite/www/permissions/perm-include.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/perm-include.tcl,v
diff -u -r1.20.2.1 -r1.20.2.2
--- openacs-4/packages/acs-subsite/www/permissions/perm-include.tcl	24 Oct 2022 19:18:19 -0000	1.20.2.1
+++ openacs-4/packages/acs-subsite/www/permissions/perm-include.tcl	26 Oct 2022 14:20:35 -0000	1.20.2.2
@@ -9,21 +9,40 @@
     {object_id:integer}
     {return_url:localurl ""}
     {privs { read create write delete admin }}
+    {detailed_permissions_p:boolean f}
     {user_add_url:localurl ""}
 }
 
 set user_id [ad_conn user_id]
 set admin_p [permission::permission_p -object_id $object_id -privilege admin]
 
+set ad_return_url [ad_return_url]
 if { $return_url eq "" } {
-    set return_url [ad_return_url]
+    set return_url $ad_return_url
 }
 
-acs_object::get -object_id $object_id -array obj
-set object_name $obj(object_name)
-set context_id  $obj(context_id)
-set parent_object_name [acs_object_name $obj(context_id)]
 
+#
+# When "privs" are passed in from the <include...> as empty, take the
+# defaults. This way, it is still backward compatible and it does not
+# require that the caller needs to know the default privileges.
+#
+if {$privs eq ""} {
+    set privs { read create write delete admin }
+}
+
+set object_info [acs_object::get -object_id $object_id]
+set name               [dict get $object_info object_name]
+set security_inherit_p [dict get $object_info security_inherit_p]
+set context_id         [dict get $object_info context_id]
+if {$context_id == -3} {
+    #
+    # Legacy installations have #acs-kernel.Default_Context# set in
+    # cases, where newer instances have a NULL value.
+    #
+    set context_id ""
+}
+
 set elements [list]
 lappend elements grantee_name {
     label "[_ acs-subsite.Name]"
@@ -38,6 +57,8 @@
     }
 }
 
+set mainsite_p [expr {$object_id eq [subsite::main_site_id]}]
+
 foreach priv $privs {
     lappend select_clauses \
         "sum(ptab.${priv}_p) as ${priv}_p" \
@@ -51,12 +72,17 @@
              html { align center } \
              label [string totitle [string map {_ { }} [_ acs-subsite.$priv]]] \
              display_template [subst {
+               <if @permissions.grantee_id@ eq -1 and $mainsite_p eq 1>
+                 <if @permissions.${priv}_p@ eq 1>
+                   <adp:icon name="checkbox-checked" title="#acs-subsite.perm_cannot_be_removed#">
+                 </if>
+               </if><else>
                <if @permissions.${priv}_p@ ge 2>
-                 <adp:icon name="checkbox-checked" title="This permission is inherited, to remove, click the 'Do not inherit ...' button above.">
+                 <adp:icon name="checkbox-checked" title="#acs-subsite.Inherited_Permission-helptext#">
                </if>
                <else>
                  <input type="checkbox" name="perm" value="@permissions.grantee_id@,${priv}" @permissions.${priv}_checked@>
-               </else>
+               </else></else>
              }] \
             ]
 }
@@ -65,7 +91,12 @@
 lappend elements remove_all {
     html { align center }
     label "[_ acs-subsite.Remove_All]"
-    display_template {<input type="checkbox" name="perm" value="@permissions.grantee_id@,remove">}
+    display_template {
+        <if @permissions.grantee_id@ eq -1 and $mainsite_p true>
+        </if><else>
+        <input type="checkbox" name="perm" value="@permissions.grantee_id@,remove">
+        </else>
+    }
 }
 
 #lappend elements grantee_id
@@ -77,29 +108,44 @@
     set user_add_url "${perm_url}perm-user-add"
 }
 set user_add_url [export_vars -base $user_add_url {
-    object_id expanded {return_url "[ad_return_url]"}
+    object_id expanded {return_url $ad_return_url}
 }]
 
-set actions [list \
-                 [_ acs-subsite.Grant_Permission] \
-                 [export_vars -base "${perm_url}grant" {return_url application_url object_id}] \
-                 [_ acs-subsite.Grant_Permission] \
-                 [_ acs-subsite.Search_For_Exist_User] \
-                 $user_add_url \
-                 [_ acs-subsite.Search_For_Exist_User]]
+set actions {}
+if {$detailed_permissions_p} {
+    lappend actions \
+        [_ acs-subsite.Grant_Permission] \
+        [export_vars -base "${perm_url}grant" {return_url application_url object_id}] \
+        [_ acs-subsite.Grant_Permission]
+}
+lappend actions \
+    [_ acs-subsite.Grant_Permissions_to_Users] \
+    $user_add_url \
+    [_ acs-subsite.Grant_Permissions_to_Users-helptext]
 
+#
+# When there is no context_id given, do not offer to turn
+# security_inherit_p on or off.
+#
 if { $context_id ne "" } {
-    set inherit_p [permission::inherit_p -object_id $object_id]
+    #
+    # The variable "parent_object_name" is used the the following
+    # message keys:
+    #
+    #    lt_Do_not_inherit_from_p, lt_Inherit_from_parent_o,
+    #    lt_Inherit_permissions_f, lt_Stop_inheriting_permi
+    #
+    set parent_object_name [acs_object_name $context_id]
 
-    if { $inherit_p } {
+    if { $security_inherit_p } {
         lappend actions \
             [_ acs-subsite.lt_Do_not_inherit_from_p] \
-            [export_vars -base "${perm_url}toggle-inherit" {object_id {return_url [ad_return_url]}}] \
+            [export_vars -base "${perm_url}toggle-inherit" {object_id {return_url $ad_return_url}}] \
             [_ acs-subsite.lt_Stop_inheriting_permi]
     } else {
         lappend actions \
             [_ acs-subsite.lt_Inherit_from_parent_o] \
-            [export_vars -base "${perm_url}toggle-inherit" {object_id {return_url [ad_return_url]}}] \
+            [export_vars -base "${perm_url}toggle-inherit" {object_id {return_url $ad_return_url}}] \
             [_ acs-subsite.lt_Inherit_permissions_f]
     }
 }
Index: openacs-4/packages/acs-subsite/www/permissions/perm-modify.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/perm-modify.tcl,v
diff -u -r1.8 -r1.8.2.1
--- openacs-4/packages/acs-subsite/www/permissions/perm-modify.tcl	23 Apr 2018 21:32:46 -0000	1.8
+++ openacs-4/packages/acs-subsite/www/permissions/perm-modify.tcl	26 Oct 2022 14:20:35 -0000	1.8.2.1
@@ -8,23 +8,28 @@
 
 permission::require_permission -object_id $object_id -privilege admin
 
-# entried in 'perm' have the form "${party_id}_${privilege}"
+set mainsite_p [expr {$object_id eq [subsite::main_site_id]}]
 
+#
+# Entries in 'perm' have the form "${party_id}_${privilege}"
+#
 foreach elm $perm {
-    set elmv [split $elm ","]
-    lassign $elmv party_id priv
+    lassign [split $elm ","] party_id priv
     if { $priv ne "remove" } {
         set perm_array($elm) add
-    }
+    }        
 }
 
 foreach elm $perm {
-    set elmv [split $elm ","]
-    lassign $elmv party_id priv
+    lassign [split $elm ","] party_id priv
     if {$priv eq "remove"} {
-        foreach priv $privs {
+        foreach priv $privs {            
             if { [info exists perm_array(${party_id},${priv})] } {
-                unset perm_array(${party_id},${priv})
+                if {$mainsite_p && $party_id == "-1"} {
+                    util_user_message "#acs-kernel.The_Public# $priv: #acs-subsite.perm_cannot_be_removed#"
+                } else {
+                    unset perm_array(${party_id},${priv})
+                }
             }
         }
     }
@@ -53,8 +58,7 @@
     #  nothing: Do nothing
     #  add:     Add the privilege
     foreach elm [array names perm_array] {
-        set elmv [split $elm ","]
-        lassign $elmv party_id privilege
+        lassign [split $elm ","] party_id privilege
 
         switch -- $perm_array($elm) {
             remove {
@@ -72,7 +76,7 @@
     ad_script_abort
 }
 
-set message [expr {$changes_p ? [_ acs-subsite.Information_Updated] : ""}]
+set message [expr {$changes_p ? [_ acs-subsite.Permissions_Updated] : ""}]
 
 ad_returnredirect -message $message $return_url
 ad_script_abort
Index: openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include-oracle.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include-oracle.xql,v
diff -u -r1.4 -r1.4.2.1
--- openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include-oracle.xql	7 Aug 2017 23:47:59 -0000	1.4
+++ openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include-oracle.xql	26 Oct 2022 14:20:35 -0000	1.4.2.1
@@ -10,6 +10,7 @@
            u.first_names || ' ' || u.last_name
     from   cc_users u
     where  u.user_id not in (select grantee_id from acs_permissions_all where object_id = :object_id)
+    and    [template::list::filter_where_clauses -name users]
     order  by upper(first_names), upper(last_name)
 
       </querytext>
Index: openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include-postgresql.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include-postgresql.xql,v
diff -u -r1.4 -r1.4.2.1
--- openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include-postgresql.xql	7 Aug 2017 23:47:59 -0000	1.4
+++ openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include-postgresql.xql	26 Oct 2022 14:20:35 -0000	1.4.2.1
@@ -11,7 +11,8 @@
     from   cc_users u
     where  u.user_id not in (
        select grantee_id from acs_permission.permissions_all(:object_id)
-    )
+       )
+    and    [template::list::filter_where_clauses -name users]
     order  by upper(first_names), upper(last_name)
 
   </querytext>
Index: openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.adp
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.adp,v
diff -u -r1.5 -r1.5.2.1
--- openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.adp	7 Aug 2017 23:47:59 -0000	1.5
+++ openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.adp	26 Oct 2022 14:20:35 -0000	1.5.2.1
@@ -1,6 +1,11 @@
-<p><listtemplate name="users"></listtemplate></p>
-
+<div class="w-50">    
+  <div class="small fw-light">#acs-subsite.Filter_username_and_email#
+    <formtemplate id="filter" style="filter"></formtemplate>
+  </div>
+</div> 
+<listtemplate name="users"></listtemplate>
 <p>
-  <strong>&raquo;</strong> <a href="@return_url@">#acs-subsite.lGo_back_without_adding#</a>
-</p>
+<ul class="action-links">
+    <li><a href="@return_url@">#acs-subsite.lGo_back_without_adding#</a></li>
+</ul>
 
Index: openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.tcl,v
diff -u -r1.10.2.1 -r1.10.2.2
--- openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.tcl	16 May 2019 09:54:29 -0000	1.10.2.1
+++ openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.tcl	26 Oct 2022 14:20:35 -0000	1.10.2.2
@@ -3,10 +3,12 @@
     object_id:naturalnum,notnull
     return_url:localurl
     page:naturalnum,optional
+    {search ""}
 }
 
-# check they have read permission on this file
-
+#
+# Check if the current user has read permission on this object_id.
+#
 permission::require_permission -object_id $object_id -privilege admin
 
 # TODO:
@@ -18,11 +20,25 @@
 
 set perm_url "[lindex [site_node::get_url_from_object_id -object_id [site_node::closest_ancestor_package -include_self -package_key [subsite::package_keys]]] 0]permissions/"
 
+ad_form \
+    -name filter \
+    -edit_buttons [list [list "Go" go]] \
+    -has_submit 1 \
+    -html { class foo } \
+    -export {return_url object_id page} \
+    -form {
+        {search:text,optional
+            {label ""}
+            {html {length 30 placeholder "[_ acs-kernel.common_Search]"} }
+            {value $search}
+        }
+    } -on_submit {}
+
 list::create \
     -name users \
     -multirow users \
     -key user_id \
-    -page_size 20 \
+    -page_size 10 \
     -page_query_name users_who_dont_have_any_permissions_paginator \
     -no_data "[_ acs-subsite.lt_There_are_no_users_wh]" \
     -bulk_action_export_vars { return_url object_id } \
@@ -41,11 +57,20 @@
             label "[_ acs-subsite.Add]"
             link_url_col add_url
             link_html { title "[_ acs-subsite.Add_this_user]" }
-            display_template "[_ acs-subsite.Add]"
+            display_template "<adp:icon name='add-new-item' title='[_ acs-subsite.Add_this_user]'>"
         }
     } -filters {
         object_id {}
         return_url {}
+        search {
+            hide_p 1
+            where_clause {
+                (:search is null
+                 or u.first_names || ' ' || u.last_name ilike '%' || :search || '%'
+                 or u.email ilike '%' || :search || '%'
+                 )
+            }
+        }
     }
 
 db_multirow -extend { add_url } users users_who_dont_have_any_permissions {} {
Index: openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.xql
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.xql,v
diff -u -r1.4 -r1.4.2.1
--- openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.xql	7 Aug 2017 23:47:59 -0000	1.4
+++ openacs-4/packages/acs-subsite/www/permissions/perm-user-add-include.xql	26 Oct 2022 14:20:35 -0000	1.4.2.1
@@ -10,6 +10,7 @@
            u.email
     from   cc_users u
     where  [template::list::page_where_clause -name users]
+    and    [template::list::filter_where_clauses -name users]
     order  by upper(first_names), upper(last_name)
 
       </querytext>
Index: openacs-4/packages/acs-subsite/www/register/index.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/register/index.tcl,v
diff -u -r1.15.2.2 -r1.15.2.3
--- openacs-4/packages/acs-subsite/www/register/index.tcl	20 Jun 2019 14:21:03 -0000	1.15.2.2
+++ openacs-4/packages/acs-subsite/www/register/index.tcl	26 Oct 2022 14:20:35 -0000	1.15.2.3
@@ -17,7 +17,7 @@
 
 #
 # Avoid page caching, across all browsers, no matter how the other
-# site wide caching parameters are set. For discussion and deatils,
+# site wide caching parameters are set. For discussion and details,
 # see:
 #
 # https://stackoverflow.com/questions/49547/how-to-control-web-page-caching-across-all-browsers