But I guess I'm a little confused about the way the [{ALLOW view userid}] functions. Since it is part of the JSPWiki page text, I would think it would have to be processed at the level where the page is being viewed, not through the security setup. The security setup would decide whether a user is allowed to view or edit pages in general. I would imagine that the [{ALLOW view userid}] tag works after a user is attempting to pull up the page in question - more at the JSPWiki level than at the security level.
Well, whenever the page is changed, we parse the text and find all ALLOW statements, then store them in the page ACL. And yeah, the security subsystem first checks the ACLs before the page content is even read.
/Janne
