--- doc/trustee.html	2002/07/28 16:24:55	1.4
+++ doc/trustee.html	2003/06/11 03:26:29	1.8
@@ -9,12 +9,17 @@
 (like <a href="notify.html">notify on change</a>)
 </p>
 
+<p>For each path (which can be file or directory) all trustees are
+evaluated. However, <b>deny</b> has precedence over <b>allow</b> (which
+is default in no trustee is specified).
+</p>
+
 <h2>Format of trustee file</h2>
 
 <p>Comments are written using hash (#) as first character in line
 <br><tt># this is a comment</tt></p>
 
-<p>Group can be used instead of username in all ACLs. You can't have user
+<p>Group can be used instead of user-name in all ACL. You can't have user
 which has same name as group or vice-versa. It's written using plus (+) as
 first character in line.
 <br>+<i>group</i>:<i>user</i>[,<i>user</i>...]</p>
@@ -28,8 +33,9 @@
 <li><tt>C</tt> clear the permission (default is to set)
 <li><tt>D</tt> deny access (default is grant)
 <li><tt>O</tt> one-level trustee only <small>(this means that those permissions
-	will not be inherited on directories and files upwards from current
-	level -- it's usefull for root directory only anonymous access)
+	will not be inherited on directories and files downwards from current
+	level -- it's useful for <a href="#anonymous">anonymous access</a>)
+	</small>
 </ul>
 
 Valid permissions:
@@ -43,7 +49,7 @@
 <h2>Examples</h2>
 
 <pre>
-# dpavlin is admin (grant all access to members of root group)
+# dpavlin is administrator (grant all access to members of root group)
 +root:dpavlin
 /:root:RWB
 # give read-only access to all users
@@ -71,7 +77,71 @@
 
 Which will work.
 
+<p>If you want to allow just one user (<i>editor</i>) to have write
+persmissions on file <i>one_editor.txt</i> while all others can read it, you
+could do something like:
+
+<pre>
+/one_editor.txt:*:DW:editor:CRWB
+</pre>
+
+Order of statements is not important. Trustees are always evaluated from
+universal ones (e.g. ones for all users; with *) to specific for this
+user (in this case, for user <i>editor</i>). However, this example
+wouldn't work without <b>C</b> for user <i>editor</i> because <b>deny</b>
+for write would have precidence.
+
+<p>
 <big>FIX</big> write more examples, better descriptions...
+</p>
+
+<a name="anonymous">
+<h3>Anonymous access</h3>
+
+<p>One of great advantages of using trustees is that you can allow
+anonymous access (without login). You should pay attention to access
+right, because you probably don't want anonymous users to see all files
+or folders in your repository.
+</p>
+
+<p>First, you will have to add browse trustee to anonymous user
+on root directory -- docman will ignore all anonymous users if
+you don't do this.
+<pre>
+	/:anonymous:BO
+</pre>
+You really <b>want to use flags <tt>BO</tt></b> and not just <tt>B</tt> because
+if you specify just <tt>B</tt> anonymous users will be able to browse (see
+directory names) of your whole repository. This way you can explicitly
+allow (or deny) which sub-directories you want anonymous users to browse.
+<br>For example, this will allow anonymous users to see and read everything
+in <tt>/pub</tt> and to store documents in <tt>/incoming</tt>:
+<pre>
+	/pub:anonymous:RB
+	/incoming:anonymous:RWB
+</pre>
+You might also want to hide some directory from anonymous users, and you
+can do that using:
+<pre>
+	/private:anonymous:DB
+</pre>
+If you would like to <b>give all your users</b> which are authenticated via
+login and password <b>all access</b> to all files (like in old docman v1.x) you
+also have to add 
+<pre>
+	/:*:RWB
+</pre>
+However, that <b>will not add all
+permission to anonymous users</b>. If you want to add all that permission
+to anonymous users (which will create wiki-like community for sharing files)
+you must explicitly say that you allow that to anonymous users:
+<pre>
+	/:anonymous:RWB
+</pre>
+All those setting will create environment which is very like docman v1.x,
+but with anonymous users allowed to see document in <tt>/pub</tt> and
+upload them in <tt>/incoming</tt>.
+</p>
 
 <h2>Default security</h2>