Today I found that there were still some obscure holes in ACL tweaking via this mechanism (such as uploading files with ajax). I think I found a better solution to get right at the heart of the functionality: Adding a hook in the auth_aclcheck function itself.
All the above patches can be replaced with:
--- auth.php 2012-01-25 13:39:32.000000000 -0600
+++ ../../../dokuwiki/inc/auth.php 2013-01-22 18:19:35.069406000 -0600
@@ -490,10 +490,12 @@
+ trigger_event('CHECK_ACL',$tmp=array(ns => $id, user => $user, groups => $groups));
// if no ACL is used always return upload rights
if(!$conf['useacl']) return AUTH_UPLOAD;
if (!$auth) return AUTH_NONE;
//make sure groups is an array
This ads a plugin hook called CHECK_ACL. It passes the plugin the namespace, which is very helpful. I believe this would also work for Marcel (confirm?).