I'm posting this, because I'm actively using SS3 for client-work and I'm
having several gripes with permissions. As a pretext I have to mention,
that I usually don't give full Admin rights to clients. My permissions I
give to clients mostly look like the "Content Authors" settings that are
already present with a fresh SilverStripe install.

The first and foremost problem is, that Groups like the "Content
Authors" (SS3 default) are basically useless, because of the "PING" bug:
http://open.silverstripe.org/ticket/7915
(this can currently be circumvented by giving access to all CMS sections)

Then there was this issue, where users weren't able to access
SiteConfig, even when they had the proper permission set ("Manage site
configuration"):
http://open.silverstripe.org/ticket/7902
(this will be fixed in 3.0.3)

But there are plenty other things that bother me:

*Non-Admin users don't have CRUD permissions on DataObjects*
This might be a sensible default, but it's really cumbersome to override
the `canDelete` `canView` `canEdit` methods for every DataObject. More
so, there doesn't seem to be a useful existing permission to check in
these methods. If I check for `CMS_ACCESS_CMSMain` (which seems
reasonable), it works fine for the "Content Authors" account. If I chose
to switch to the "Access to all CMS Sections" permission (for example to
work around the "ping" bug), then the `CMS_ACCESS_CMSMain` permission is
gone. Instead the user will have `CMS_ACCESS_LeftAndMain`... and
apparently permissions don't cascade. While in reality,
`CMS_ACCESS_LeftAndMain` includes `CMS_ACCESS_CMSMain`, it doesn't work
when I check with `Requirements::check('CMS_ACCESS_CMSMain');`.

I know that I could create my own permissions and check for these. But
this all seems to be a lot of additional work which just wasn't there
with SS2.x

*Non-admin users don't have any Edit/Remove/Delete from Files Buttons on
Images*
When adding images to a page using the UploadField, then non-admin users
don't see any of the buttons to actually remove an image. So while they
can upload an image on a newly created page, they can't remove it or
replace it afterwards. This is only true for users who have the "Access
to all CMS sections" permission set. It works for the "Content Authors"
group... which leads me to the conclusion, that there is something
similar going on as described above: Most likely, UploadField checks the
`CMS_ACCESS_CMSMain` permission to decide whether or not to display the
buttons. But when "Access to all CMS sections" is granted to the user,
he actually doesn't have that permission, instead he gets
`CMS_ACCESS_LeftAndMain`.

These are the main gripes with security for me at the moment. I could go
an create some tickets for these issues, but I'd like to hear what the
developer community has to say about this. Are you guys working on the
permission system for an upcoming version of SilverStripe? Wouldn't it
be a good idea to have an existing permission to check whether or not a
user is logged in to the backend and can edit pages? Other ideas?

Best regards
- Roman

P.S. Sorry this turned out to be quite a lengthy post :(