From: garvinhicking <garvinhicking>
Date: Sun, 5 Jun 2005 20:39:34 +0000 (+0000)
Subject: ACL group permission setup for Serendipity.
X-Git-Tag: 0.9~422
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=9c4da2be8af42b390128d29a88d6511891c783a4;p=s9y.git

ACL group permission setup for Serendipity.

Very experimental. I tested it until my head went into flames.
Testers very much appreciated. There's a little notice in the docs/NEWs
file for future TODOs.

I need QA guys who check if the system is exploitable; please read
more on the mailinglist.
---

diff --git a/docs/NEWS b/docs/NEWS
index dc7ea22..58d79de 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -3,6 +3,20 @@
 Version 0.9 ()
 ------------------------------------------------------------------------
 
+    * Introduce permission groups with customizable permission sets.
+      (garvinhicking)
+      
+      This Feature is currently declared "unstable" and will definitely
+      need finetuning before it usable in restricted environments.
+      TODO: 
+      * Check Plugins like loginform, adduser to use group-functionality.
+      * Get rid of as many obsolete userlevel checks in the Admin user/groups
+        panel.
+      * Chief editors may not join Admin group if forbidden?
+      * Chief editors may not enter siteConfiguration if forbidden?
+
+    * Make bblog importer recognize trackbacks. Thanks to Hanno!
+
     * Spartacus plugin can now properly handle plugins which contain both
       sidebar and event plugins in one directory (garvinhicking)
 
diff --git a/include/admin/category.inc.php b/include/admin/category.inc.php
index d55a884..066efaa 100644
--- a/include/admin/category.inc.php
+++ b/include/admin/category.inc.php
@@ -6,11 +6,11 @@ if (IN_serendipity !== true) {
     die ("Don't hack!");
 }
 
-if ($serendipity['no_create']) {
+if (!serendipity_checkPermission('adminCategory')) {
     return;
 }
 
-$admin_category = ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF ? "AND (authorid = 0 OR authorid = " . (int)$serendipity['authorid'] . ")" : '');
+$admin_category = (!serendipity_checkPermission('adminCategoriesMaintainOthers') ? "AND (authorid = 0 OR authorid = " . (int)$serendipity['authorid'] . ")" : '');
 
 /* Add a new category */
 if (isset($_POST['SAVE'])) {
@@ -108,7 +108,8 @@ if ($serendipity['GET']['adminAction'] == 'doDelete') {
 <?php
     if ( $serendipity['GET']['adminAction'] == 'delete' ) {
         $this_cat = serendipity_fetchCategoryInfo($serendipity['GET']['cid']);
-        if ($serendipity['serendipityUserlevel'] >= USERLEVEL_CHIEF || $serendipity['authorid'] == $this_cat['authorid'] || $this_cat['authorid'] == '0') {
+        if (   (serendipity_checkPermission('adminCategoriesDelete') && serendipity_checkPermission('adminCategoriesMaintainOthers'))
+            || (serendipity_checkPermission('adminCategoriesDelete') && ($serendipity['authorid'] == $this_cat['authorid'] || $this_cat['authorid'] == '0')) ) { 
 ?>
         <form method="POST" name="serendipityCategory" action="?serendipity[adminModule]=category&amp;serendipity[adminAction]=doDelete&amp;serendipity[cid]=<?php echo $serendipity['GET']['cid'] ?>">
             <br />
@@ -119,7 +120,7 @@ if ($serendipity['GET']['adminAction'] == 'doDelete') {
     $cats = serendipity_fetchCategories('all');
     /* TODO, show dropdown as nested categories */
     foreach ($cats as $cat_data) {
-        if ($cat_data['categoryid'] != $serendipity['GET']['cid'] && ($serendipity['serendipityUserlevel'] >= USERLEVEL_ADMIN || $cat_data['authorid'] == '0' || $cat_data['authorid'] == $serendipity['authorid'])) {
+        if ($cat_data['categoryid'] != $serendipity['GET']['cid'] && (serendipity_checkPermission('adminCategoriesMaintainOthers') || $cat_data['authorid'] == '0' || $cat_data['authorid'] == $serendipity['authorid'])) {
             echo '<option value="' . $cat_data['categoryid'] . '">' . htmlspecialchars($cat_data['category_name']) . '</option>' . "\n";
         }
     }
diff --git a/include/admin/comments.inc.php b/include/admin/comments.inc.php
index 32154a2..53a5b0f 100644
--- a/include/admin/comments.inc.php
+++ b/include/admin/comments.inc.php
@@ -6,7 +6,7 @@ if (IN_serendipity !== true) {
     die ("Don't hack!");
 }
 
-if ($serendipity['no_create']) {
+if (!serendipity_checkPermission('adminComments')) {
     return;
 }
 
@@ -164,7 +164,7 @@ $sql = serendipity_db_query("SELECT c.*, e.title FROM {$serendipity['dbPrefix']}
                                 LEFT JOIN {$serendipity['dbPrefix']}entries e ON (e.id = c.entry_id)
                                 WHERE type = '$c_type'
                                 ". $and ."
-                                " . (($serendipity['serendipityUserlevel'] != USERLEVEL_ADMIN) ? 'AND e.authorid = ' . (int)$serendipity['authorid'] : '') . "
+                                " . (!serendipity_checkPermission('adminEntriesMaintainOthers') ? 'AND e.authorid = ' . (int)$serendipity['authorid'] : '') . "
                                 ORDER BY c.id DESC $limit");
 ?>
 <script type="text/javascript">
diff --git a/include/admin/configuration.inc.php b/include/admin/configuration.inc.php
index 561ea95..e34cc99 100644
--- a/include/admin/configuration.inc.php
+++ b/include/admin/configuration.inc.php
@@ -10,6 +10,10 @@ if (!isset($_POST['installAction'])) {
     $_POST['installAction'] = '';
 }
 
+if (!serendipity_checkPermission('siteConfiguration') && !!serendipity_checkPermission('blogConfiguration')) {
+    return;
+}
+
 switch ($_POST['installAction']) {
     case 'check':
         $oldConfig = $serendipity;
@@ -43,10 +47,7 @@ switch ($_POST['installAction']) {
                 }
             }            
 
-print_r($permalinkOld); // DEBUG
-print_r($permalinkNew); // DEBUG
-
-            if ($serendipity['serendipityUserlevel'] >= USERLEVEL_ADMIN && serialize($permalinkOld) != serialize($permalinkNew)) {
+            if (serendipity_checkPermission('siteConfiguration') && serialize($permalinkOld) != serialize($permalinkNew)) {
                 printf(ATTEMPT_WRITE_FILE, $serendipity['serendipityPath'] . '.htaccess');
                 $res = serendipity_installFiles($serendipity['serendipityPath']);
                 if (is_array($res)) {
diff --git a/include/admin/entries.inc.php b/include/admin/entries.inc.php
index 0dbd19f..b2a9b57 100644
--- a/include/admin/entries.inc.php
+++ b/include/admin/entries.inc.php
@@ -6,7 +6,7 @@ if (IN_serendipity !== true) {
     die ("Don't hack!");
 }
 
-if ($serendipity['no_create']) {
+if (!serendipity_checkPermission('adminEntries')) {
     return;
 }
 
diff --git a/include/admin/groups.inc.php b/include/admin/groups.inc.php
new file mode 100644
index 0000000..323822b
--- /dev/null
+++ b/include/admin/groups.inc.php
@@ -0,0 +1,197 @@
+<?php # $Id: users.inc.php 114 2005-05-22 15:37:11Z garvinhicking $
+# Copyright (c) 2003-2005, Jannis Hermanns (on behalf the Serendipity Developer Team)
+# All rights reserved.  See LICENSE file for licensing details
+
+if (IN_serendipity !== true) {
+    die ('Don\'t hack!');
+}
+
+if (!serendipity_checkPermission('adminUsersGroups')) {
+    return;
+}
+
+/* Delete a group */
+if (isset($_POST['DELETE_YES'])) {
+    $group = serendipity_fetchGroup($serendipity['POST']['group']);
+    serendipity_deleteGroup($serendipity['POST']['group']);
+    printf('<div class="serendipityAdminMsgSuccess">' . DELETED_GROUP . '</div>', $serendipity['POST']['group'], $group['name']);
+}
+
+/* Save new group */
+if (isset($_POST['SAVE_NEW'])) {
+    $serendipity['POST']['group'] = serendipity_addGroup($serendipity['POST']['name']);
+    $perms = serendipity_getAllPermissionNames();    
+    serendipity_updateGroupConfig($serendipity['POST']['group'], $perms, $serendipity['POST']);
+    printf('<div class="serendipityAdminMsgSuccess">' . CREATED_GROUP . '</div>', '#' . $serendipity['POST']['group'] . ', ' . $serendipity['POST']['name']);
+}
+
+
+/* Edit a group */
+if (isset($_POST['SAVE_EDIT'])) {
+    $perms = serendipity_getAllPermissionNames();    
+    serendipity_updateGroupConfig($serendipity['POST']['group'], $perms, $serendipity['POST']);
+    printf('<div class="serendipityAdminMsgSuccess">' . MODIFIED_GROUP . '</div>', $serendipity['POST']['name']);
+}
+
+if ( $serendipity['GET']['adminAction'] != 'delete' ) {
+?>
+    <table width="100%">
+        <tr>
+            <td><strong><?php echo GROUP; ?></strong></td>
+            <td width="200">&nbsp;</td>
+        </tr>
+        <tr>
+            <td colspan="3">
+<?php
+if (serendipity_checkPermission('adminUsersMaintainOthers')) {
+    $groups = serendipity_getAllGroups();
+} elseif (serendipity_checkPermission('adminUsersMaintainSame')) {
+    $groups = serendipity_getAllGroups($serendipity['authorid']);
+} else {
+    $groups = array();
+}
+$i = 0;
+foreach($groups as $group) {
+?>
+<div class="serendipity_admin_list_item serendipity_admin_list_item_<?php echo ($i++ % 2) ? 'even' : 'uneven' ?>">
+<table width="100%">
+    <tr>
+        <td><?php echo htmlspecialchars($group['name']); ?></td>
+        <td width="200" align="right"> [<a href="?serendipity[adminModule]=groups&amp;serendipity[adminAction]=edit&amp;serendipity[group]=<?php echo $group['id'] ?>"><?php echo EDIT ?></a>]
+                                     - [<a href="?serendipity[adminModule]=groups&amp;serendipity[adminAction]=delete&amp;serendipity[group]=<?php echo $group['id'] ?>"><?php echo DELETE ?></a>]</td>
+    </tr>
+</table>
+</div>
+<?php
+    }
+?>
+            </tr>
+        </tr>
+<?php if ( !isset($_POST['NEW']) ) { ?>
+        <tr>
+            <td colspan="3" align="right">
+                <form action="?serendipity[adminModule]=groups" method="post">
+                    <input type="submit" name="NEW"   value="<?php echo CREATE_NEW_GROUP; ?>" class="serendipityPrettyButton" />
+                </form>
+            </td>
+        </tr>
+<?php } ?>
+    </table>
+
+<?php
+}
+
+
+if ($serendipity['GET']['adminAction'] == 'edit' || isset($_POST['NEW'])) {
+?>
+<br />
+<br />
+<hr noshade="noshade">
+<form action="?serendipity[adminModule]=groups" method="post">
+    <div>
+    <h3>
+<?php
+if ($serendipity['GET']['adminAction'] == 'edit') {
+    $group = serendipity_fetchGroup($serendipity['GET']['group']);
+    echo EDIT;
+    $from = &$group;
+    echo '<input type="hidden" name="serendipity[group]" value="' . $from['id'] . '" />';
+} else {
+    echo CREATE;
+    $from = array();
+}
+?>
+    </h3>
+
+<table>
+    <tr>
+        <td><?php echo NAME; ?></td>
+        <td><input type="text" name="serendipity[name]" value="<?php echo htmlspecialchars($from['name']); ?>" /></td>
+    </tr>
+    <tr>
+        <td valign="top"><?php echo USERCONF_GROUPS; ?></td>
+        <td><select name="serendipity[members][]" multiple="multiple" size="5">
+<?php
+$allusers = serendipity_fetchUsers();
+$users    = serendipity_getGroupUsers($from['id']);
+
+$selected = array();
+foreach($users AS $user) {
+    $selected[$user['id']] = true;
+}
+
+foreach($allusers AS $user) {
+    echo '<option value="' . (int)$user['authorid'] . '" ' . (isset($selected[$user['authorid']]) ? 'selected="selected"' : '') . '>' . htmlspecialchars($user['realname']) . '</option>' . "\n";
+}
+?>
+            </select>
+        </td>
+    </tr>
+    <tr>
+        <td colspan="2">&nbsp;</td>
+    </tr>
+<?php
+    $perms = serendipity_getAllPermissionNames();    
+    ksort($perms);
+    foreach($perms AS $perm => $userlevels) {
+        if (isset($from[$perm]) && $from[$perm] === 'true') {
+            $selected = 'checked="checked"';
+        } else {
+            $selected = '';
+        }
+
+        if (!isset($section)) {
+            $section = $perm;
+        }
+        
+        if ($section != $perm && substr($perm, 0, strlen($section)) == $section) {
+            $indent  = '&nbsp;&nbsp;';
+            $indentB = '';
+        } elseif ($section != $perm) {
+            $indent  = '<br />';
+            $indentB = '<br />';
+            $section = $perm;
+        }
+
+        if (in_array('protected', $userlevels, true) && !serendipity_checkPermission($perm)) {
+            echo "<tr>\n";
+            echo "<td>$indent" . htmlspecialchars($perm) . "</td>\n";
+            echo '<td>' . $indentB . ' ' . (!empty($selected) ? YES : NO) . '</td>' . "\n";
+            echo "</tr>\n";
+        } else {
+            echo "<tr>\n";
+            echo "<td>$indent<label for=\"" . htmlspecialchars($perm) . "\">" . htmlspecialchars($perm) . "</label></td>\n";
+            echo '<td>' . $indentB . '<input id="' . htmlspecialchars($perm) . '" type="checkbox" name="serendipity[' . htmlspecialchars($perm) . ']" value="true" ' . $selected . ' /></td>' . "\n";
+            echo "</tr>\n";
+        }
+    }
+?>
+</table>
+
+<?php
+if ($serendipity['GET']['adminAction'] == 'edit') { ?>
+        <input type="submit" name="SAVE_EDIT"   value="<?php echo SAVE; ?>" class="serendipityPrettyButton" />
+<?php } else { ?>
+        <input type="submit" name="SAVE_NEW" value="<?php echo CREATE_NEW_GROUP; ?>" class="serendipityPrettyButton" />
+<?php } ?>
+
+    </div>
+</form>
+<?php
+} elseif ($serendipity['GET']['adminAction'] == 'delete') {
+    $group = serendipity_fetchGroup($serendipity['GET']['group']);
+?>
+<form action="?serendipity[adminModule]=groups" method="post">
+    <div>
+    <?php printf(DELETE_GROUP, $serendipity['GET']['group'], $group['name']); ?>
+        <br /><br />
+        <input type="hidden" name="serendipity[group]" value="<?php echo $serendipity['GET']['group']; ?>" />
+        <input type="submit" name="DELETE_YES" value="<?php echo DUMP_IT; ?>" class="serendipityPrettyButton" />
+        <input type="submit" name="NO" value="<?php echo NOT_REALLY; ?>" class="serendipityPrettyButton" />
+    </div>
+</form>
+<?php
+}
+
+/* vim: set sts=4 ts=4 expandtab : */
+?>
diff --git a/include/admin/images.inc.php b/include/admin/images.inc.php
index f6773ed..3f4a685 100644
--- a/include/admin/images.inc.php
+++ b/include/admin/images.inc.php
@@ -6,12 +6,15 @@ if (IN_serendipity !== true) {
     die ("Don't hack!");
 }
 
-if ($serendipity['no_create']) {
+if (!serendipity_checkPermission('adminImages')) {
     return;
 }
 
 switch ($serendipity['GET']['adminAction']) {
     case 'sync':
+        if (!serendipity_checkPermission('adminImagesSync')) {
+            break;
+        }
         set_time_limit(0);
         ignore_user_abort();
 
@@ -30,6 +33,10 @@ switch ($serendipity['GET']['adminAction']) {
         break;
 
     case 'DoDelete':
+        if (!serendipity_checkPermission('adminImagesDelete')) {
+            break;
+        }
+
         $file   = $serendipity['GET']['fname'];
         serendipity_deleteImage($serendipity['GET']['fid']);
         break;
@@ -37,7 +44,7 @@ switch ($serendipity['GET']['adminAction']) {
     case 'delete':
         $file     = serendipity_fetchImageFromDatabase($serendipity['GET']['fid']);
 
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid']) {
+        if (!serendipity_checkPermission('adminImagesDelete') || (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid'])) {
             return;
         }
 
@@ -60,7 +67,7 @@ switch ($serendipity['GET']['adminAction']) {
         $file = serendipity_fetchImageFromDatabase($serendipity['GET']['fid']);
         $serendipity['GET']['newname'] = serendipity_uploadSecure($serendipity['GET']['newname'], true);
 
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid']) {
+        if (!serendipity_checkPermission('adminImagesDelete') || (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid'])) {
             return;
         }
 
@@ -112,6 +119,10 @@ switch ($serendipity['GET']['adminAction']) {
         break;
 
     case 'add':
+        if (!serendipity_checkPermission('adminImagesAdd')) {
+            return;
+        }
+
 ?>
     <b><?php echo ADDING_IMAGE; ?></b>
     <br /><br />
@@ -235,7 +246,7 @@ switch ($serendipity['GET']['adminAction']) {
 
 
     case 'directoryDoDelete':
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+        if (!serendipity_checkPermission('adminImagesDirectories')) {
             return;
         }
 
@@ -252,8 +263,9 @@ switch ($serendipity['GET']['adminAction']) {
         }
 
         break;
+
     case 'directoryDelete':
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+        if (!serendipity_checkPermission('adminImagesDirectories')) {
             return;
         }
 ?>
@@ -283,9 +295,8 @@ switch ($serendipity['GET']['adminAction']) {
 <?php
         break;
 
-
     case 'directoryDoCreate':
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+        if (!serendipity_checkPermission('adminImagesDirectories')) {
             return;
         }
 
@@ -301,13 +312,10 @@ switch ($serendipity['GET']['adminAction']) {
             printf(DIRECTORY_WRITE_ERROR, $new_dir);
         }
 
-
-
         break;
 
-
     case 'directoryCreate':
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+        if (!serendipity_checkPermission('adminImagesDirectories')) {
             return;
         }
 ?>
@@ -338,7 +346,7 @@ switch ($serendipity['GET']['adminAction']) {
         break;
 
     case 'directorySelect':
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+        if (!serendipity_checkPermission('adminImagesDirectories')) {
             return;
         }
 
@@ -364,6 +372,10 @@ switch ($serendipity['GET']['adminAction']) {
         break;
 
     case 'addSelect':
+        if (!serendipity_checkPermission('adminImagesAdd')) {
+            return;
+        }
+
 ?>
     <?php echo ADD_MEDIA_BLAHBLAH; ?>
 
@@ -615,7 +627,12 @@ switch ($serendipity['GET']['adminAction']) {
     break;
 
     case 'rotateCW':
-        if ( serendipity_rotateImg($serendipity['GET']['fid'], -90) ) {
+        $file = serendipity_fetchImageFromDatabase($serendipity['GET']['fid']);
+        if (!serendipity_checkPermission('adminImagesDelete') || (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid'])) {
+            return;
+        }
+
+        if (serendipity_rotateImg($serendipity['GET']['fid'], -90)) {
 ?>
         <script language="javascript" type="text/javascript">
             location.href="<?php echo $_SERVER['HTTP_REFERER'] ?>";
@@ -626,7 +643,12 @@ switch ($serendipity['GET']['adminAction']) {
     break;
 
     case 'rotateCCW':
-        if ( serendipity_rotateImg($serendipity['GET']['fid'], 90) ) {
+        $file = serendipity_fetchImageFromDatabase($serendipity['GET']['fid']);
+        if (!serendipity_checkPermission('adminImagesDelete') || (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid'])) {
+            return;
+        }
+
+        if (serendipity_rotateImg($serendipity['GET']['fid'], 90)) {
 ?>
         <script language="javascript" type="text/javascript">
             location.href="<?php echo $_SERVER['HTTP_REFERER'] ?>";
@@ -639,7 +661,7 @@ switch ($serendipity['GET']['adminAction']) {
     case 'scale':
         $file = serendipity_fetchImageFromDatabase($serendipity['GET']['fid']);
 
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid']) {
+        if (!serendipity_checkPermission('adminImagesDelete') || (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid'])) {
             return;
         }
 
@@ -665,7 +687,7 @@ switch ($serendipity['GET']['adminAction']) {
     case 'scaleSelect':
         $file = serendipity_fetchImageFromDatabase($serendipity['GET']['fid']);
 
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid']) {
+        if (!serendipity_checkPermission('adminImagesDelete') || (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid'])) {
             return;
         }
 
@@ -723,6 +745,10 @@ switch ($serendipity['GET']['adminAction']) {
         break;
 
     default:
+        if (!serendipity_checkPermission('adminImagesView')) {
+            return;
+        }
+
 ?>
 <script type="text/javascript" language="javascript">
     <!--
diff --git a/include/admin/import.inc.php b/include/admin/import.inc.php
index 5ec20ed..d3bf0e3 100644
--- a/include/admin/import.inc.php
+++ b/include/admin/import.inc.php
@@ -5,7 +5,8 @@
 if (IN_serendipity !== true) {
     die ("Don't hack!");
 }
-if ( $serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF ) {
+
+if (!serendipity_checkPermission('adminImport')) {
     return;
 }
 
diff --git a/include/admin/personal.inc.php b/include/admin/personal.inc.php
index dfe1d20..ae8842d 100644
--- a/include/admin/personal.inc.php
+++ b/include/admin/personal.inc.php
@@ -6,20 +6,29 @@ if (IN_serendipity !== true) {
     die ("Don't hack!");
 }
 
+if (!serendipity_checkPermission('personalConfiguration')) {
+    return;
+}
+
 $from = array();
 
 if ( $serendipity['GET']['adminAction'] == 'save' ) {
     $config = serendipity_parseTemplate(S9Y_CONFIG_USERTEMPLATE);
-    if ((int)$_POST['userlevel'] > $serendipity['serendipityUserlevel']) {
+    if (!serendipity_checkPermission('adminUsersEditUserlevel') && (int)$_POST['userlevel'] > $serendipity['serendipityUserlevel']) {
         echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED_USERLEVEL . '</div>';
     } else {
         foreach($config as $category) {
             foreach ($category['items'] as $item) {
-                if ( serendipity_checkConfigItemFlags($item, 'local') ) {
+                if (in_array('groups', $item['flags'])) {
+                    serendipity_updateGroups($_POST[$item['var']], $serendipity['authorid']);
+                    continue;
+                }
+
+                if (serendipity_checkConfigItemFlags($item, 'local')) {
                     serendipity_set_user_var($item['var'], $_POST[$item['var']], $serendipity['authorid'], true);
                 }
 
-                if ( serendipity_checkConfigItemFlags($item, 'configuration') ) {
+                if (serendipity_checkConfigItemFlags($item, 'configuration')) {
                     serendipity_set_config_var($item['var'], $_POST[$item['var']], $serendipity['authorid']);
                 }
             }
@@ -32,9 +41,10 @@ if ( $serendipity['GET']['adminAction'] == 'save' ) {
 
 <form action="?serendipity[adminModule]=personal&amp;serendipity[adminAction]=save" method="post">
 <?php
-$template   = serendipity_parseTemplate(S9Y_CONFIG_USERTEMPLATE);
-$user       = serendipity_fetchUsers($serendipity['authorid']);
-$from       = $user[0];
+$template       = serendipity_parseTemplate(S9Y_CONFIG_USERTEMPLATE);
+$user           = serendipity_fetchUsers($serendipity['authorid']);
+$from           = $user[0];
+$from['groups'] = serendipity_getGroups($serendipity['authorid']); 
 unset($from['password']);
 serendipity_printConfigTemplate($template, $from, true, false);
 ?>
diff --git a/include/admin/plugins.inc.php b/include/admin/plugins.inc.php
index 4b14101..96abd44 100644
--- a/include/admin/plugins.inc.php
+++ b/include/admin/plugins.inc.php
@@ -6,7 +6,7 @@ if (IN_serendipity !== true) {
     die ('Don\'t hack!');
 }
 
-if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+if (!serendipity_checkPermission('adminPlugins')) {
     return;
 }
 
@@ -59,7 +59,7 @@ function show_plugins($event_only = false)
         foreach ($plugins as $plugin_data) {
             $plugin =& serendipity_plugin_api::load_plugin($plugin_data['name'], $plugin_data['authorid']);
             $key    = urlencode($plugin_data['name']);
-            $is_plugin_owner    = ($plugin_data['authorid'] == $serendipity['authorid'] || $serendipity['serendipityUserlevel'] >= USERLEVEL_ADMIN);
+            $is_plugin_owner    = ($plugin_data['authorid'] == $serendipity['authorid'] || serendipity_checkPermission('adminPluginsMaintainOthers'));
             $is_plugin_editable = ($is_plugin_owner || $plugin_data['authorid'] == '0');
 
             if (!is_object($plugin)) {
@@ -76,7 +76,7 @@ function show_plugins($event_only = false)
 
                 $title = serendipity_plugin_api::get_plugin_title($plugin, '[' . $name . ']');
 
-                if ($bag->is_set('configuration') && ($plugin->protected === FALSE || $plugin_data['authorid'] == '0' || $plugin_data['authorid'] == $serendipity['authorid'] || $serendipity['serendipityUserlevel'] >= USERLEVEL_ADMIN)) {
+                if ($bag->is_set('configuration') && ($plugin->protected === FALSE || $plugin_data['authorid'] == '0' || $plugin_data['authorid'] == $serendipity['authorid'] || serendipity_checkPermission('adminPluginsMaintainOthers'))) {
                     $can_configure = true;
                 } else {
                     $can_configure = false;
@@ -249,7 +249,7 @@ if (isset($_GET['serendipity']['plugin_to_conf'])) {
     /* configure a specific instance */
     $plugin =& serendipity_plugin_api::load_plugin($_GET['serendipity']['plugin_to_conf']);
 
-    if (!($plugin->protected === FALSE || $plugin->serendipity_owner == '0' || $plugin->serendipity_owner == $serendipity['authorid'] || $serendipity['serendipityUserlevel'] >= USERLEVEL_ADMIN)) {
+    if (!($plugin->protected === FALSE || $plugin->serendipity_owner == '0' || $plugin->serendipity_owner == $serendipity['authorid'] || serendipity_checkPermission('adminPluginsMaintainOthers'))) {
         return;
     }
 
@@ -689,7 +689,7 @@ if (isset($_GET['serendipity']['plugin_to_conf'])) {
 
     if (isset($serendipity['GET']['install_plugin'])) {
         $authorid = $serendipity['authorid'];
-        if ($serendipity['serendipityUserlevel'] >= USERLEVEL_ADMIN) {
+        if (serendipity_checkPermission('adminPluginsMaintainOthers')) {
             $authorid = '0';
         }
 
@@ -722,7 +722,7 @@ if (isset($_GET['serendipity']['plugin_to_conf'])) {
             foreach ($_POST['serendipity']['plugin_to_remove'] as $key) {
                 $plugin =& serendipity_plugin_api::load_plugin($key);
     
-                if ($plugin->serendipity_owner == '0' || $plugin->serendipity_owner == $serendipity['authorid'] || $serendipity['serendipityUserlevel'] >= USERLEVEL_ADMIN) {
+                if ($plugin->serendipity_owner == '0' || $plugin->serendipity_owner == $serendipity['authorid'] || serendipity_checkPermission('adminPluginsMaintainOthers')) {
                     serendipity_plugin_api::remove_plugin_instance($key);
                 }
             }
diff --git a/include/admin/templates.inc.php b/include/admin/templates.inc.php
index 2587edd..cd7bdec 100644
--- a/include/admin/templates.inc.php
+++ b/include/admin/templates.inc.php
@@ -6,7 +6,7 @@ if (IN_serendipity !== true) {
     die ("Don't hack!");
 }
 
-if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+if (!serendipity_checkPermission('adminTemplates')) {
     return;
 }
 
diff --git a/include/admin/upgrader.inc.php b/include/admin/upgrader.inc.php
index 406f44a..b1cd936 100644
--- a/include/admin/upgrader.inc.php
+++ b/include/admin/upgrader.inc.php
@@ -132,6 +132,12 @@ $tasks = array(array('version'   => '0.5.1',
                      'function'  => 'serendipity_buildPermalinks',
                      'title'     => 'Build permalink patterns',
                      'desc'      => 'This version introduces user-configurable Permalinks and needs to pre-cache the list of all permalinks to be later able to fetch the corresponding entries for a permalink.'),
+
+               array('version'   => '0.9-alpha3',
+                     'function'  => 'serendipity_addDefaultGroups',
+                     'title'     => 'Introduce author groups',
+                     'desc'      => 'This version introduces customizable user groups. Your existing users will be migrated into the new default groups.'),
+
 );
 
 /* Fetch SQL files which needs to be run */
diff --git a/include/admin/users.inc.php b/include/admin/users.inc.php
index 25e9c49..f17f16c 100644
--- a/include/admin/users.inc.php
+++ b/include/admin/users.inc.php
@@ -6,7 +6,7 @@ if (IN_serendipity !== true) {
     die ('Don\'t hack!');
 }
 
-if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+if (!serendipity_checkPermission('adminUsers')) {
     return;
 }
 
@@ -15,32 +15,65 @@ require_once(S9Y_INCLUDE_PATH . 'include/functions_installer.inc.php');
 /* Delete a user */
 if (isset($_POST['DELETE_YES'])) {
     $user = serendipity_fetchUsers($serendipity['POST']['user']);
-    if ($user[0]['userlevel'] >= $serendipity['serendipityUserlevel'] && $serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN) {
+    if ($user[0]['userlevel'] >= $serendipity['serendipityUserlevel'] || !serendipity_checkPermission('adminUsersDelete')) {
         echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED . '</div>';
     } elseif ($_POST['userlevel'] > $serendipity['serendipityUserlevel']) {
         echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED_USERLEVEL . '</div>';
     } else {
-        serendipity_deleteAuthor($user[0]['authorid']);
-        printf('<div class="serendipityAdminMsgSuccess">' . DELETED_USER . '</div>', $serendipity['POST']['user'], $user[0]['realname']);
+        $group_intersect = serendipity_intersectGroup($user[0]['authorid']);
+        
+        if (serendipity_checkPermission('adminUsersMaintainOthers') ||
+            (serendipity_checkPermission('adminUsersMaintainSame') && $group_intersect)) {
+            serendipity_deleteAuthor($user[0]['authorid']);
+            printf('<div class="serendipityAdminMsgSuccess">' . DELETED_USER . '</div>', $serendipity['POST']['user'], $user[0]['realname']);
+        } else {
+            echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED_USERLEVEL . '</div>';
+        }
     }
 }
 
 
 /* Save new user */
 if (isset($_POST['SAVE_NEW'])) {
-    if ($_POST['userlevel'] >= $serendipity['serendipityUserlevel'] && $serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN) {
+    if ($_POST['userlevel'] >= $serendipity['serendipityUserlevel'] || !serendipity_checkPermission('adminUsersCreateNew')) {
         echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED . '</div>';
     } else {
         $serendipity['POST']['user'] = serendipity_addAuthor($_POST['username'], $_POST['pass'], $_POST['realname'], $_POST['email'], $_POST['userlevel']);
 
+        $valid_groups = serendipity_getGroups($serendipity['authorid'], true);
         /* Save all the properties */
         $config = serendipity_parseTemplate(S9Y_CONFIG_USERTEMPLATE);
         foreach($config as $category) {
             foreach ($category['items'] as $item) {
-                if ( serendipity_checkConfigItemFlags($item, 'local') ) {
+                if (in_array('groups', $item['flags'])) {
+                    if (serendipity_checkPermission('adminUsersMaintainOthers')) {
+
+                        // Void, no fixing neccessarry
+
+                    } elseif (serendipity_checkPermission('adminUsersMaintainSame')) {
+
+                        // Check that no user may assign groups he's not allowed to.
+                        foreach($_POST[$item['var']] AS $groupkey => $groupval) {
+                            if (in_array($group_val, $valid_groups)) {
+                                continue;
+                            }
+
+                            unset($_POST[$item['var']][$groupkey]);
+                        }
+
+                    } else {
+                        continue;
+                    }
+
+                    serendipity_updateGroups($_POST[$item['var']], $serendipity['POST']['user']);
+                    continue;
+                }
+
+                if (serendipity_checkConfigItemFlags($item, 'local')) {
                     serendipity_set_user_var($item['var'], $_POST[$item['var']], $serendipity['POST']['user'], ($serendipity['authorid'] == $serendipity['POST']['authorid'] ? true : false));
                 }
-                if ( serendipity_checkConfigItemFlags($item, 'configuration') ) {
+
+                if (serendipity_checkConfigItemFlags($item, 'configuration')) {
                     serendipity_set_config_var($item['var'], $_POST[$item['var']], $serendipity['POST']['user']);
                 }
             }
@@ -53,23 +86,50 @@ if (isset($_POST['SAVE_NEW'])) {
 
 /* Edit a user */
 if (isset($_POST['SAVE_EDIT'])) {
-    $user = serendipity_fetchUsers($serendipity['POST']['authorid']);
-    if ($user[0]['userlevel'] >= $serendipity['serendipityUserlevel'] && $serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN) {
+    $user = serendipity_fetchUsers($serendipity['POST']['user']);
+    if ($user[0]['userlevel'] >= $serendipity['serendipityUserlevel'] || !serendipity_checkPermission('adminUsersCreateNew')) {
         echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED . '</div>';
     } elseif ($_POST['userlevel'] > $serendipity['serendipityUserlevel']) {
         echo '<div class="serendipityAdminMsgError">' . CREATE_NOT_AUTHORIZED_USERLEVEL . '</div>';
     } else {
+        $valid_groups = serendipity_getGroups($serendipity['authorid'], true);
         $config = serendipity_parseTemplate(S9Y_CONFIG_USERTEMPLATE);
         foreach($config as $category) {
             foreach ($category['items'] as $item) {
-                if ( serendipity_checkConfigItemFlags($item, 'local') ) {
-                    serendipity_set_user_var($item['var'], $_POST[$item['var']], $serendipity['POST']['user'], ($serendipity['authorid'] == $serendipity['POST']['authorid'] ? true : false));
+                if (in_array('groups', $item['flags'])) {
+                    if (serendipity_checkPermission('adminUsersMaintainOthers')) {
+
+                        // Void, no fixing neccessarry
+
+                    } elseif (serendipity_checkPermission('adminUsersMaintainSame')) {
+
+                        // Check that no user may assign groups he's not allowed to.
+                        foreach($_POST[$item['var']] AS $groupkey => $groupval) {
+                            if (in_array($group_val, $valid_groups)) {
+                                continue;
+                            }
+
+                            unset($_POST[$item['var']][$groupkey]);
+                        }
+
+                    } else {
+                        continue;
+                    }
+
+                    serendipity_updateGroups($_POST[$item['var']], $serendipity['POST']['user']);
+                    continue;
+                }
+
+                if (serendipity_checkConfigItemFlags($item, 'local')) {
+                    serendipity_set_user_var($item['var'], $_POST[$item['var']], $serendipity['POST']['user'], ($serendipity['authorid'] == $serendipity['POST']['user'] ? true : false));
                 }
-                if ( serendipity_checkConfigItemFlags($item, 'configuration') ) {
+
+                if (serendipity_checkConfigItemFlags($item, 'configuration')) {
                     serendipity_set_config_var($item['var'], $_POST[$item['var']], $serendipity['POST']['user']);
                 }
             }
         }
+
         $pl_data = array(
             'authorid' => $serendipity['POST']['authorid'],
             'username' => $_POST['username'],
@@ -81,7 +141,7 @@ if (isset($_POST['SAVE_EDIT'])) {
     }
 }
 
-if ( $serendipity['GET']['adminAction'] != 'delete' ) {
+if ($serendipity['GET']['adminAction'] != 'delete') {
 ?>
     <table width="100%">
         <tr>
@@ -92,18 +152,24 @@ if ( $serendipity['GET']['adminAction'] != 'delete' ) {
         <tr>
             <td colspan="3">
 <?php
-$users = serendipity_fetchUsers();
+if (serendipity_checkPermission('adminUsersMaintainOthers')) {
+    $users = serendipity_fetchUsers('');
+} elseif (serendipity_checkPermission('adminUsersMaintainSame')) {
+    $users = serendipity_fetchUsers('', serendipity_getGroups($serendipity['authorid'], true));
+} else {
+    $users = serendipity_fetchUsers($serendipity['authorid']);
+}
+
 $i = 0;
 foreach($users as $user) {
     if ($user['userlevel'] < $serendipity['serendipityUserlevel'] || $user['authorid'] == $serendipity['authorid'] || $serendipity['serendipityUserlevel'] >= USERLEVEL_ADMIN ) {
-
-    if ( $user['userlevel'] >= USERLEVEL_ADMIN ) {
-        $img = serendipity_getTemplateFile('admin/img/user_admin.png');
-    } elseif ( $user['userlevel'] >= USERLEVEL_CHIEF ) {
-        $img = serendipity_getTemplateFile('admin/img/user_chief.png');
-    } else {
-        $img = serendipity_getTemplateFile('admin/img/user_editor.png');
-    }
+        if ( $user['userlevel'] >= USERLEVEL_ADMIN ) {
+            $img = serendipity_getTemplateFile('admin/img/user_admin.png');
+        } elseif ( $user['userlevel'] >= USERLEVEL_CHIEF ) {
+            $img = serendipity_getTemplateFile('admin/img/user_chief.png');
+        } else {
+            $img = serendipity_getTemplateFile('admin/img/user_editor.png');
+        }
 ?>
 <div class="serendipity_admin_list_item serendipity_admin_list_item_<?php echo ($i++ % 2) ? 'even' : 'uneven' ?>">
 <table width="100%">
@@ -122,7 +188,7 @@ foreach($users as $user) {
 ?>
             </tr>
         </tr>
-<?php if ( !isset($_POST['NEW']) ) { ?>
+<?php if ( !isset($_POST['NEW']) && serendipity_checkPermission('adminUsersCreateNew')) { ?>
         <tr>
             <td colspan="3" align="right">
                 <form action="?serendipity[adminModule]=users" method="post">
@@ -137,7 +203,7 @@ foreach($users as $user) {
 }
 
 
-if ($serendipity['GET']['adminAction'] == 'edit' || isset($_POST['NEW'])) {
+if ( ($serendipity['GET']['adminAction'] == 'edit' && serendipity_checkPermission('adminUsersDelete')) || (isset($_POST['NEW']) && serendipity_checkPermission('adminUsersCreateNew')) ) {
 ?>
 <br />
 <br />
@@ -148,15 +214,22 @@ if ($serendipity['GET']['adminAction'] == 'edit' || isset($_POST['NEW'])) {
 <?php
 if ($serendipity['GET']['adminAction'] == 'edit') {
     $user = serendipity_fetchUsers($serendipity['GET']['userid']);
-    if ($user[0]['userlevel'] >= $serendipity['serendipityUserlevel'] && $user[0]['authorid'] != $serendipity['authorid'] && $serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN) {
+    $group_intersect = serendipity_intersectGroup($user[0]['authorid']);
+        
+    if ($user[0]['userlevel'] >= $serendipity['serendipityUserlevel'] && $user[0]['authorid'] != $serendipity['authorid'] && !serendipity_checkPermission('adminUsersMaintainOthers')) {
         echo '<strong>' . CREATE_NOT_AUTHORIZED . '</strong><br />';
         echo EDIT;
         $from = array();
-    } else {
+    } elseif (serendipity_checkPermission('adminUsersMaintainOthers') ||
+            (serendipity_checkPermission('adminUsersMaintainSame') && $group_intersect)) {
         echo EDIT;
         $from = &$user[0];
         unset($from['password']);
         echo '<input type="hidden" name="serendipity[user]" value="' . $from['authorid'] . '" />';
+    } else {
+        echo '<strong>' . CREATE_NOT_AUTHORIZED . '</strong><br />';
+        echo EDIT;
+        $from = array();
     }
 } else {
     echo CREATE;
@@ -167,6 +240,12 @@ if ($serendipity['GET']['adminAction'] == 'edit') {
 
 <?php
 $config = serendipity_parseTemplate(S9Y_CONFIG_USERTEMPLATE);
+if (!empty($serendipity['GET']['userid'])) {
+    $from['groups'] = serendipity_getGroups($serendipity['GET']['userid']);
+} else {
+    $from['groups'] = array();
+} 
+
 serendipity_printConfigTemplate($config, $from, true, false);
 
 if ($serendipity['GET']['adminAction'] == 'edit') { ?>
@@ -178,8 +257,12 @@ if ($serendipity['GET']['adminAction'] == 'edit') { ?>
     </div>
 </form>
 <?php
-} elseif ($serendipity['GET']['adminAction'] == 'delete') {
+} elseif ($serendipity['GET']['adminAction'] == 'delete' && serendipity_checkPermission('adminUsersDelete')) {
     $user = serendipity_fetchUsers($serendipity['GET']['userid']);
+    $group_intersect = serendipity_intersectGroup($user[0]['authorid']);
+
+    if (serendipity_checkPermission('adminUsersMaintainOthers') ||
+                (serendipity_checkPermission('adminUsersMaintainSame') && $group_intersect)) {
 ?>
 <form action="?serendipity[adminModule]=users" method="post">
     <div>
@@ -191,7 +274,8 @@ if ($serendipity['GET']['adminAction'] == 'edit') { ?>
     </div>
 </form>
 <?php
+    }
 }
 
 /* vim: set sts=4 ts=4 expandtab : */
-?>
+?>
\ No newline at end of file
diff --git a/include/functions.inc.php b/include/functions.inc.php
index f8c38ed..ea4fd35 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -155,7 +155,7 @@ function serendipity_walkRecursive($ary, $child_name = 'id', $parent_name = 'par
     return $_resArray;
 }
 
-function serendipity_fetchUsers($user = '') {
+function serendipity_fetchUsers($user = '', $group = null) {
     global $serendipity;
 
     $where = '';
@@ -163,8 +163,33 @@ function serendipity_fetchUsers($user = '') {
         $where = "WHERE authorid = '" . (int)$user ."'";
     }
 
-    $querystring = "SELECT * FROM {$serendipity['dbPrefix']}authors $where ORDER BY realname ASC";
+    if ($group === null) {
+        $querystring = "SELECT * 
+                          FROM {$serendipity['dbPrefix']}authors 
+                               $where 
+                      ORDER BY realname ASC";
+    } else {
+        if (is_array($group)) {
+            foreach($group AS $idx => $groupid) {
+                $group[$idx] = (int)$groupid;
+            }
+            $group_sql = implode(', ', $group);
+        } else {
+            $group_sql = (int)$group;
+        }
 
+        $querystring = "SELECT a.* 
+                          FROM {$serendipity['dbPrefix']}authors AS a 
+               LEFT OUTER JOIN {$serendipity['dbPrefix']}authorgroups AS ag
+                            ON a.authorid = ag.authorid
+               LEFT OUTER JOIN {$serendipity['dbPrefix']}groups AS g
+                            ON ag.groupid  = g.id
+                         WHERE g.id IN ($group_sql)
+                               $where
+                      GROUP BY a.authorid 
+                      ORDER BY a.realname ASC";
+    }
+    
     return serendipity_db_query($querystring);
 }
 
diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php
index 027f956..9c33472 100644
--- a/include/functions_comments.inc.php
+++ b/include/functions_comments.inc.php
@@ -214,7 +214,7 @@ function serendipity_deleteComment($id, $entry_id, $type='comments') {
 
     if ($_SESSION['serendipityAuthedUser'] === true) {
         $admin = '';
-        if ($_SESSION['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+        if (!serendipity_checkPermission('adminEntriesMaintainOthers')) {
             $admin = " AND authorid = " . (int)$_SESSION['serendipityAuthorid'] ."'";
         }
 
@@ -247,7 +247,7 @@ function serendipity_allowCommentsToggle($entry_id, $switch = 'disable') {
 
     if ($_SESSION['serendipityAuthedUser'] === true) {
         $admin = '';
-        if ($_SESSION['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+        if (!serendipity_checkPermission('adminEntriesMaintainOthers')) {
             $admin = " AND authorid = '" . (int)$_SESSION['serendipityAuthorid'] ."'";
         }
 
@@ -271,7 +271,7 @@ function serendipity_approveComment($cid, $entry_id, $force = false) {
                 LEFT JOIN {$serendipity['dbPrefix']}entries e ON (e.id = c.entry_id)
                 LEFT JOIN {$serendipity['dbPrefix']}authors a ON (e.authorid = a.authorid)
                 WHERE c.id = '". (int)$cid ."'
-                    ". (($serendipity['serendipityUserlevel'] != USERLEVEL_ADMIN && $force !== true) ? "AND e.authorid = '". (int)$serendipity['authorid'] ."'" : '') ."
+                    ". ((!serendipity_checkPermission('adminEntriesMaintainOthers') && $force !== true) ? "AND e.authorid = '". (int)$serendipity['authorid'] ."'" : '') ."
                     ". (($force === true) ? "" : "AND status = 'pending'");
     $rs  = serendipity_db_query($sql, true);
 
diff --git a/include/functions_config.inc.php b/include/functions_config.inc.php
index 87d0ed0..961a40c 100644
--- a/include/functions_config.inc.php
+++ b/include/functions_config.inc.php
@@ -27,7 +27,12 @@ function serendipity_addAuthor($username, $password, $realname, $email, $userlev
 
 function serendipity_deleteAuthor($authorid) {
     global $serendipity;
-    if (serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}authors WHERE authorid=" . (int)$authorid ." and userlevel <= ". (int)$serendipity['serendipityUserlevel'])) {
+
+    if (!serendipity_checkPermission('adminUsersDelete')) {
+        return false;
+    }
+    
+    if (serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}authors WHERE authorid=" . (int)$authorid)) {
         serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}permalinks WHERE entry_id=" . (int)$authorid ." and type='author'");
     }
     return true;
@@ -43,7 +48,11 @@ function serendipity_set_config_var($name, $val, $authorid = 0) {
 
     serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}config where name='" . serendipity_db_escape_string($name) . "' AND authorid = " . (int)$authorid);
     $r = serendipity_db_insert('config', array('name' => $name, 'value' => $val, 'authorid' => $authorid));
-    $serendipity[$name] = $val;
+    
+    if ($authorid === 0 || $authorid === $serendipity['authorid']) {
+        $serendipity[$name] = $val;
+    }
+
     if (is_string($r)) {
         echo $r;
     }
@@ -279,7 +288,7 @@ function serendipity_authenticate_author($username = '', $password = '', $is_md5
         $query = "SELECT DISTINCT
                     email, authorid, userlevel, right_publish
                   FROM
-                    $serendipity[dbPrefix]authors
+                    {$serendipity['dbPrefix']}authors
                   WHERE
                     username   = '" . serendipity_db_escape_string($username) . "'
                   AND password = '" . serendipity_db_escape_string($password) . "'";
@@ -498,5 +507,389 @@ function serendipity_getSessionLanguage() {
     return $lang;
 }
 
+function &serendipity_getPermissions($authorid) {
+    global $serendipity;
+
+        // Get group information
+        $groups = serendipity_db_query("SELECT ag.groupid, g.name, gc.property, gc.value
+                                          FROM {$serendipity['dbPrefix']}authorgroups AS ag
+                               LEFT OUTER JOIN {$serendipity['dbPrefix']}groups AS g
+                                            ON ag.groupid = g.id
+                               LEFT OUTER JOIN {$serendipity['dbPrefix']}groupconfig AS gc
+                                            ON gc.id = g.id
+                                         WHERE ag.authorid = " . (int)$authorid);
+        $perm = array('membership' => array());
+        if (is_array($groups)) {
+            foreach($groups AS $group) {
+                $perm['membership'][$group['groupid']]       = $group['groupid'];
+                $perm[$group['groupid']][$group['property']] = $group['value'];
+            }
+        }
+        return $perm;
+}
+
+function serendipity_getPermissionNames() {
+    return array(
+        'personalConfiguration'  
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
+        'personalConfigurationUserlevel'  
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+        'personalConfigurationNoCreate'  
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+        'personalConfigurationRightPublish'  
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+        'siteConfiguration'      
+            => array(USERLEVEL_ADMIN),
+        'blogConfiguration'      
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+
+        'adminEntries'           
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
+        'adminEntriesMaintainOthers' 
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+
+        'adminImport'
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+
+        'adminCategories'
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
+        'adminCategoriesMaintainOthers'
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+        'adminCategoriesDelete'
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+
+        'adminUsers'             
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+        'adminUsersDelete'       
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+        'adminUsersEditUserlevel'             
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+        'adminUsersMaintainSame'             
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+        'adminUsersMaintainOthers'             
+            => array('protected', USERLEVEL_ADMIN),
+        'adminUsersCreateNew'             
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+        'adminUsersGroups'             
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+
+        'adminPlugins'           
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+        'adminPluginsMaintainOthers'           
+            => array(USERLEVEL_ADMIN),
+
+        'adminImages'            
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
+        'adminImagesDirectories' 
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+        'adminImagesAdd' 
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
+        'adminImagesDelete'     
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
+        'adminImagesMaintainOthers' 
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+        'adminImagesView' 
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF, USERLEVEL_EDITOR),
+        'adminImagesSync' 
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+
+        'adminComments'          
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+
+        'adminTemplates'         
+            => array(USERLEVEL_ADMIN, USERLEVEL_CHIEF),
+    );
+}
+
+function serendipity_checkPermission($permName, $authorid = null, $returnMyGroups = false) {
+    global $serendipity;
+    
+    // Define old serendipity permissions
+    static $permissions = null;
+    static $group = null;
+    
+    if ($permissions === null) {
+        $permissions = serendipity_getPermissionNames();
+    }
+
+    if ($group === null) {
+        $group = array();
+    }
+    
+    if ($authorid === null) {
+        $authorid = $serendipity['authorid'];
+    }
+    
+    if ($authorid == $serendipity['authorid'] && $serendipity['no_create']) {
+        // This no_create user privilege overrides other permissions.
+        return false;
+    }
+
+    if (!isset($group[$authorid])) {
+        $group[$authorid] = serendipity_getPermissions($authorid);
+    }
+    
+    if ($returnMyGroups) {
+        return $group[$authorid]['membership'];
+    }
+
+    $return = true;
+    foreach($group[$authorid] AS $item) {
+        if (!isset($item[$permName])) {
+            continue;
+        }
+
+        if ($item[$permName] === 'true') {
+            return true;
+        } else {
+            $return = false;
+        }
+    }
+    
+    // If the function did not yet return it means there's a check for a permission which is not defined anywhere.
+    // Let's use a backwards compatible way.
+    if ($return && in_array($serendipity['serendipityUserlevel'], $permissions[$permName])) {
+        return true;
+    }
+    
+    return false;
+}
+
+function serendipity_updateGroups($groups, $authorid) {
+    global $serendipity;
+
+    if (!serendipity_checkPermission('adminUsersMaintainOthers')) {
+        return false;
+    }
+
+    serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}authorgroups WHERE authorid = " . (int)$authorid);
+
+    foreach($groups AS $group) {
+        serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}authorgroups (authorid, groupid) VALUES (" . (int)$authorid . ", " . (int)$group . ")"); 
+    }
+    return true;
+}
+
+function &serendipity_getAllGroups($apply_ACL_user = false) {
+    global $serendipity;
+
+    if ($apply_ACL_user) {
+        $groups =& serendipity_db_query("SELECT g.id   AS confkey, 
+                                                g.name AS confvalue,
+                                                g.id   AS id,
+                                                g.name AS name
+                                           FROM {$serendipity['dbPrefix']}authorgroups AS ag
+                                LEFT OUTER JOIN {$serendipity['dbPrefix']}groups AS g
+                                             ON g.id = ag.groupid
+                                          WHERE ag.authorid = " . (int)$apply_ACL_user . "
+                                       ORDER BY g.name", false, 'assoc');
+    } else {
+        $groups =& serendipity_db_query("SELECT g.id   AS confkey, 
+                                                g.name AS confvalue,
+                                                g.id   AS id,
+                                                g.name AS name
+                                          FROM {$serendipity['dbPrefix']}groups AS g
+                                      ORDER BY  g.name", false, 'assoc');
+    }
+    
+    return $groups;
+}
+
+function &serendipity_fetchGroup($groupid) {
+    global $serendipity;
+
+    $conf = array();
+    $groups =& serendipity_db_query("SELECT g.id        AS confkey, 
+                                            g.name      AS confvalue,
+                                            g.id        AS id,
+                                            g.name      AS name,
+
+                                            gc.property AS property,
+                                            gc.value    AS value
+                                      FROM {$serendipity['dbPrefix']}groups AS g
+                           LEFT OUTER JOIN {$serendipity['dbPrefix']}groupconfig AS gc
+                                        ON g.id = gc.id
+                                     WHERE g.id = " . (int)$groupid, false, 'assoc');
+    foreach($groups AS $group) {
+        $conf[$group['property']] = $group['value'];
+    }
+    
+    // The following are unique
+    $conf['name']      = $groups[0]['name'];
+    $conf['id']        = $groups[0]['id'];
+    $conf['confkey']   = $groups[0]['confkey'];
+    $conf['confvalue'] = $groups[0]['confvalue'];
+
+    return $conf;
+}
+
+
+function &serendipity_getGroups($authorid, $sequence = false) {
+    global $serendipity;
+
+    $groups =& serendipity_db_query("SELECT g.id   AS confkey, 
+                                            g.name AS confvalue,
+                                            g.id   AS id,
+                                            g.name AS name
+                                      FROM {$serendipity['dbPrefix']}authorgroups AS ag
+                           LEFT OUTER JOIN {$serendipity['dbPrefix']}groups AS g
+                                        ON g.id = ag.groupid
+                                     WHERE ag.authorid = " . (int)$authorid, false, 'assoc');
+    if ($sequence) {
+        $_groups = $groups;
+        $groups  = array();
+        foreach($_groups AS $grouprow) {
+            $groups[] = $grouprow['confkey'];
+        }
+    }
+
+    return $groups;
+}
+
+function &serendipity_getGroupUsers($groupid) {
+    global $serendipity;
+
+    $groups =& serendipity_db_query("SELECT g.name     AS name,
+                                            a.realname AS author,
+                                            a.authorid AS id
+                                      FROM {$serendipity['dbPrefix']}authorgroups AS ag
+                           LEFT OUTER JOIN {$serendipity['dbPrefix']}groups AS g
+                                        ON g.id = ag.groupid
+                           LEFT OUTER JOIN {$serendipity['dbPrefix']}authors AS a
+                                        ON ag.authorid = a.authorid
+                                     WHERE ag.groupid = " . (int)$groupid, false, 'assoc');
+    return $groups;
+}
+
+function serendipity_deleteGroup($groupid) {
+    global $serendipity;
+
+    if (!serendipity_checkPermission('adminUsersGroups')) {
+        return false;
+    }
+    
+    if (!serendipity_checkPermission('adminUsersMaintainOthers')) {
+        // Only groups should be accessible where a user has access rights.
+        $my_groups = serendipity_getGroups($serendipity['authorid'], true);
+        if (!in_array($groupid, $my_groups)) {
+            return false;
+        }
+    } 
+
+    serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}groups       WHERE id = " . (int)$groupid);
+    serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}authorgroups WHERE groupid = " . (int)$groupid);
+
+    return true;
+}
+
+function serendipity_addGroup($name) {
+    global $serendipity;
+
+    serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}groups (name) VALUES ('" . serendipity_db_escape_string($name) . "')");
+    $gid = serendipity_db_insert_id('groups', 'id');
+
+    return $gid;
+}
+
+function &serendipity_getDBPermissionNames() {
+    global $serendipity;
+    
+    $config =& serendipity_db_query("SELECT property FROM {$serendipity['dbPrefix']}groupconfig GROUP BY property ORDER BY property", false, 'assoc');
+
+    return $config;
+}
+
+function &serendipity_getAllPermissionNames() {
+    global $serendipity;
+
+    $DBperms =& serendipity_getDBPermissionNames();
+    $perms   =& serendipity_getPermissionNames();
+    
+    foreach($DBperms AS $perm) {
+        if (!isset($perms[$perm['property']])) {
+            $perms[$perm['property']] = array();
+        }
+    }
+
+    return $perms;
+}
+
+function serendipity_intersectGroup($checkuser = null, $myself = null) {
+    global $serendipity;
+
+    if ($myself === null) {
+        $myself = $serendipity['authorid'];
+    }
+    
+    $my_groups  = serendipity_getGroups($myself, true);
+    $his_groups = serendipity_getGroups($checkuser, true);
+
+    foreach($his_groups AS $his_group) {
+        if (in_array($his_group, $my_groups)) {
+            return true;
+        }
+    }
+    
+    return false;
+}
+
+function serendipity_updateGroupConfig($groupid, &$perms, &$values) {
+    global $serendipity;
+
+    if (!serendipity_checkPermission('adminUsersGroups')) {
+        return false;
+    }
+
+    if (!serendipity_checkPermission('adminUsersMaintainOthers')) {
+        // Only groups should be accessible where a user has access rights.
+        $my_groups = serendipity_getGroups($serendipity['authorid'], true);
+        if (!in_array($groupid, $my_groups)) {
+            return false;
+        }
+    } 
+
+    $storage = serendipity_fetchGroup($groupid);    
+
+    serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}groupconfig WHERE id = " . (int)$groupid); 
+    foreach ($perms AS $perm => $userlevels) {
+        if (isset($values[$perm]) && $values[$perm] == 'true') {
+            $value = 'true';
+        } elseif (isset($values[$perm]) && $values[$perm] === 'false') {
+            $value = 'false';
+        } elseif (isset($values[$perm])) {
+            $value = $values[$perm];
+        } else {
+            $value = 'false';
+        }
+        
+        if (in_array('protected', $userlevels) && !serendipity_checkPermission($perm)) {
+            $value = $storage[$perm];
+        }
+
+        serendipity_db_query(
+            sprintf("INSERT INTO {$serendipity['dbPrefix']}groupconfig (id, property, value) VALUES (%d, '%s', '%s')",
+                (int)$groupid,
+                serendipity_db_escape_string($perm),
+                serendipity_db_escape_string($value)
+            )
+        );
+    }
+    
+    serendipity_db_query("UPDATE {$serendipity['dbPrefix']}groups SET name = '" . serendipity_db_escape_string($values['name']) . "' WHERE id = " . (int)$groupid);
+
+    if (is_array($values['members'])) {
+        serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}authorgroups WHERE groupid = " . (int)$groupid);
+        foreach($values['members'] AS $member) {
+            serendipity_db_query(
+                sprintf("INSERT INTO {$serendipity['dbPrefix']}authorgroups (groupid, authorid) VALUES (%d, %d)",
+                    (int)$groupid,
+                    (int)$member
+                )
+            );
+        }
+    }
+
+    return true;
+}
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/include/functions_entries.inc.php b/include/functions_entries.inc.php
index 0c09c12..a067e79 100644
--- a/include/functions_entries.inc.php
+++ b/include/functions_entries.inc.php
@@ -186,7 +186,7 @@ function serendipity_fetchEntries($range = null, $full = true, $limit = '', $fet
         $limit = serendipity_db_limit_sql($limit);
     }
 
-    if (isset($serendipity['GET']['adminModule']) && $serendipity['GET']['adminModule'] == 'entries' && $serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+    if (isset($serendipity['GET']['adminModule']) && $serendipity['GET']['adminModule'] == 'entries' && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
         if (!empty($cond['and'])) {
             $cond['and'] .= " AND e.authorid = '" . $serendipity['authorid'] . "'";
         } else {
@@ -318,7 +318,7 @@ function serendipity_fetchEntry($key, $val, $full = true, $fetchDrafts = 'false'
         $cond['and'] = " AND e.isdraft = 'false' " . (!serendipity_db_bool($serendipity['showFutureEntries']) ? " AND e.timestamp <= " . time() : '');
     }
 
-    if (isset($serendipity['GET']['adminModule']) && $serendipity['GET']['adminModule'] == 'entries' && $serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+    if (isset($serendipity['GET']['adminModule']) && $serendipity['GET']['adminModule'] == 'entries' && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
         $cond['and'] = " AND e.authorid = '" . $serendipity['authorid'] . "'";
     }
 
@@ -376,12 +376,12 @@ function serendipity_fetchCategories($authorid = null, $name = '', $order = 'cat
         $authorid = ((isset($serendipity['authorid']) && !empty($serendipity['GET']['adminModule'])) ? $serendipity['authorid'] : 1);
     }
 
-    if ($serendipity['serendipityUserlevel'] == USERLEVEL_ADMIN) {
-        $authorid = 'all';
+    if (isset($serendipity['authorid']) && !empty($serendipity['GET']['adminModule']) && $authorid != $serendipity['authorid'] && !serendipity_checkPermission('adminCategoriesMaintainOthers')) {
+        $authorid = $serendipity['authorid'];
     }
 
     if ($authorid != 'all' && is_numeric($authorid)) {
-        $where = " WHERE ((c.authorid = $authorid OR c.authorid = 0) " . (!empty($serendipity['serendipityUserlevel']) ? " OR a.userlevel < {$serendipity['serendipityUserlevel']}" : '') . ')';
+        $where = " WHERE (c.authorid = $authorid OR c.authorid = 0)";
     } else {
         $where = '';
     }
@@ -668,7 +668,7 @@ function serendipity_printEntries($entries, $extended = 0, $preview = false) {
                 $entry['label_trackbacks']  = $entry['trackbacks'] == 1 ? TRACKBACK : TRACKBACKS;
             }
 
-            if ($_SESSION['serendipityAuthedUser'] === true && ($_SESSION['serendipityUserlevel'] >= USERLEVEL_CHIEF || $_SESSION['serendipityAuthorid'] == $entry['authorid'])) {
+            if ($_SESSION['serendipityAuthedUser'] === true && ($_SESSION['serendipityAuthorid'] == $entry['authorid'] || serendipity_checkPermission('adminEntriesMaintainOthers'))) {
                 $entry['is_entry_owner']    = true;
             }
 
@@ -1012,7 +1012,7 @@ function serendipity_updertEntry($entry) {
         $_entry            = serendipity_fetchEntry('id', $entry['id'], 1, 1);
         $entry['authorid'] = $_entry['authorid'];
 
-        if (isset($serendipity['GET']['adminModule']) && $serendipity['GET']['adminModule'] == 'entries' && $serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF && $entry['authorid'] != $serendipity['authorid']) {
+        if (isset($serendipity['GET']['adminModule']) && $serendipity['GET']['adminModule'] == 'entries' && $entry['authorid'] != $serendipity['authorid'] && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
             // Only chiefs and admins can change other's entry. Else update fails.
             return;
         }
@@ -1069,7 +1069,7 @@ function serendipity_deleteEntry($id) {
     // Purge the daily/monthly entries so they can be rebuilt
     $result = serendipity_db_query("SELECT timestamp, authorid FROM {$serendipity['dbPrefix']}entries WHERE id = '". (int)$id ."'", true);
 
-    if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF && $result[1] != $serendipity['authorid']) {
+    if ($result[1] != $serendipity['authorid'] && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
         // Only admins and chief users can delete entries which do not belong to the author
         return;
     }
diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php
index b8967e9..a108714 100644
--- a/include/functions_images.inc.php
+++ b/include/functions_images.inc.php
@@ -66,7 +66,7 @@ function serendipity_updateImageInDatabase($updates, $id) {
     global $serendipity;
 
     $admin = '';
-    if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF) {
+    if (!serendipity_checkPermission('adminImagesAdd')) {
         $admin = ' AND (authorid = ' . $serendipity['authorid'] . ' OR authorid = 0)';
     }
 
@@ -88,7 +88,11 @@ function serendipity_deleteImage($id) {
     $dThumb = $file['path'] . $file['name'] .'.'. $file['thumbnail_name'] .'.'. $file['extension'];
 
     $admin = '';
-    if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid']) {
+    if (!serendipity_checkPermission('adminImagesDelete')) {
+        return;
+    }
+
+    if (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid']) {
         // A non-admin user may not delete private files from other users.
         return;
     }
@@ -340,7 +344,7 @@ function serendipity_scaleImg($id, $width, $height) {
     $file = serendipity_fetchImageFromDatabase($id);
 
     $admin = '';
-    if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid']) {
+    if (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid']) {
         return;
     }
 
@@ -370,7 +374,7 @@ function serendipity_rotateImg($id, $degrees) {
     $file = serendipity_fetchImageFromDatabase($id);
 
     $admin = '';
-    if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid']) {
+    if (!serendipity_checkPermission('adminImagesMaintainOthers') && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid']) {
         // A non-admin user may not delete private files from other users.
         return false;
     }
@@ -1049,7 +1053,7 @@ if ( !$manage ) {
                         <tr>
                             <td valign="top" width="16" rowspan="3">
 <?php
-                if ($serendipity['authorid'] == $file['authorid'] || $file['authorid'] == '0' || $serendipity['serendipityUserlevel'] >= USERLEVEL_CHIEF) {
+                if ($serendipity['authorid'] == $file['authorid'] || $file['authorid'] == '0' || serendipity_checkPermission('adminImagesMaintainOthers')) {
                     $popupWidth = ($is_image ? ($file['dimensions_width'] + 20) : 600);
                     $popupHeight = ($is_image ? ($file['dimensions_height'] + 20) : 500);
 ?>
diff --git a/include/functions_installer.inc.php b/include/functions_installer.inc.php
index fc6632c..9f79805 100644
--- a/include/functions_installer.inc.php
+++ b/include/functions_installer.inc.php
@@ -112,7 +112,6 @@ function serendipity_query_default($optname, $default, $usertemplate = false, $t
     }
 
     switch ($optname) {
-
         case 'permalinkStructure':
             return $default;
 
@@ -210,13 +209,39 @@ function serendipity_parseTemplate($filename, $areas = null, $onlyFlags=null) {
 
         foreach ( $category['items'] as $i => $item ) {
             $items = &$config[$n]['items'][$i];
+            
             if (!isset($items['userlevel']) || !is_numeric($items['userlevel'])) {
                 $items['userlevel'] = USERLEVEL_ADMIN;
             }
 
-            if ($userlevel < $items['userlevel']) {
+            if (!isset($items['permission']) && $userlevel < $items['userlevel']) {
+                unset($config[$n]['items'][$i]);
+                continue;
+            } elseif (!is_array($items['permission']) && !serendipity_checkPermission($items['permission'])) {
                 unset($config[$n]['items'][$i]);
                 continue;
+            } elseif (is_array($items['permission'])) {
+                $one_found = false;
+                $all_found = true;
+                foreach($items['permission'] AS $check_permission) {
+                    if (serendipity_checkPermission($check_permission)) {
+                        $one_found = true;
+                    } else {
+                        $all_found = false;
+                    }
+                }
+                
+                if (!isset($items['perm_mode'])) {
+                    $items['perm_mode'] = 'or';
+                }
+                
+                if ($items['perm_mode'] == 'or' && !$one_found) {
+                    unset($config[$n]['items'][$i]);
+                    continue;
+                } elseif ($items['perm_mode'] == 'and' && !$one_found && !$all_found) {
+                    unset($config[$n]['items'][$i]);
+                    continue;
+                }
             }
 
             if (!isset($items['flags']) || !is_array($items['flags'])) {
@@ -258,7 +283,7 @@ function serendipity_guessInput($type, $name, $value='', $default='') {
     global $serendipity;
 
     switch ($type) {
-        case 'bool' :
+        case 'bool':
             $value = serendipity_get_bool($value);
             echo '<input id="radio_cfg_' . $name . '_yes" type="radio" name="' . $name . '" value="true" ';
             echo (($value == true) ? 'checked="checked"' : ''). ' /><label for="radio_cfg_' . $name . '_yes"> ' . YES . '</label>&nbsp;';
@@ -266,24 +291,48 @@ function serendipity_guessInput($type, $name, $value='', $default='') {
             echo (($value == true) ? '' : 'checked="checked"'). ' /><label for="radio_cfg_' . $name . '_no"> ' . NO . '</label>';
             break;
 
-        case 'protected' :
+        case 'protected':
             echo '<input type="password" size="30" name="' . $name . '" value="' . htmlspecialchars($value) . '" />';
             break;
 
-        case 'list' :
+        case 'multilist':
+            echo '<select name="'. $name .'[]" multiple="multiple">';
+            foreach ((array)$default as $k => $v) {
+                print_r($v);
+                $selected = false;
+                foreach((array)$value AS $vk => $vv) {
+                    if ($vv['confkey'] == $v['confkey']) {
+                        $selected = true;
+                    }
+                }
+
+                printf('<option value="%s"%s>%s</option>'. "\n",
+                      $v['confkey'],
+                      ($selected ? ' selected="selected"' : ''),
+                      $v['confvalue']);
+            }
+            echo '</select>';
+            break;
+
+        case 'list':
             echo '<select name="'. $name .'">';
-            foreach ((array)$default as $k=>$v) {
+
+            foreach ((array)$default as $k => $v) {
+                $selected = ($k == $value);
+
                 printf('<option value="%s"%s>%s</option>'. "\n",
                       $k,
-                      (($k == $value) ? ' selected="selected"' : ''),
+                      ($selected ? ' selected="selected"' : ''),
                       $v);
             }
             echo '</select>';
             break;
-        case 'file' :
+
+        case 'file':
             echo '<input type="file" size="30" name="' . $name . '" />';
             break;
-        default :
+
+        default:
             echo '<input type="text" size="30" name="' . $name . '" value="' . htmlspecialchars($value) . '" />';
             break;
     }
@@ -747,7 +796,7 @@ function serendipity_updateConfiguration() {
         }
     }
 
-    if (IS_installed === false || $serendipity['serendipityUserlevel'] >= USERLEVEL_ADMIN) {
+    if (IS_installed === false || serendipity_checkPermission('siteConfiguration')) {
         return serendipity_updateLocalConfig($_POST['dbName'],
                                              $_POST['dbPrefix'],
                                              $_POST['dbHost'],
diff --git a/include/functions_upgrader.inc.php b/include/functions_upgrader.inc.php
index cf95f17..6691ffa 100644
--- a/include/functions_upgrader.inc.php
+++ b/include/functions_upgrader.inc.php
@@ -110,4 +110,49 @@ function serendipity_fixPlugins($case) {
             break;
     }
 }
-?>
+
+function serendipity_addDefaultGroups() {
+    global $serendipity;
+
+    serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}groups");
+    serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}groupconfig");
+    serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}authorgroups");
+
+    serendipity_addDefaultGroup(USERLEVEL_EDITOR_DESC, USERLEVEL_EDITOR);
+    serendipity_addDefaultGroup(USERLEVEL_CHIEF_DESC,  USERLEVEL_CHIEF);
+    serendipity_addDefaultGroup(USERLEVEL_ADMIN_DESC,  USERLEVEL_ADMIN);
+}
+
+function serendipity_addDefaultGroup($name, $level) {
+    global $serendipity;
+
+    static $perms = null;
+    if ($perms === null) {
+        $perms = serendipity_getPermissionNames();
+    }
+    
+    serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}groups (name) VALUES ('" . serendipity_db_escape_string($name) . "')");
+    $gid = (int)serendipity_db_insert_id('groups', 'id');
+    serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}groupconfig (id, property, value) VALUES ($gid, 'userlevel', '" . (int)$level . "')");
+
+    $authors = serendipity_db_query("SELECT * FROM {$serendipity['dbPrefix']}authors WHERE userlevel = " . (int)$level);
+    if (!is_array($authors)) {
+        return;
+    }
+    
+    foreach($authors AS $author) {
+        serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}authorgroups (authorid, groupid) VALUES ('{$author['authorid']}', '$gid')");
+    }
+    
+    foreach($perms AS $permName => $permArray) {
+        if (in_array($level, $permArray)) {
+            serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}groupconfig (id, property, value) VALUES ($gid, '" . serendipity_db_escape_string($permName) . "', 'true')");
+        } else {
+            serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}groupconfig (id, property, value) VALUES ($gid, '" . serendipity_db_escape_string($permName) . "', 'false')");
+        }
+    }
+    
+    return true;
+}
+
+?>
\ No newline at end of file
diff --git a/include/plugin_api.inc.php b/include/plugin_api.inc.php
index ada9757..6bc814b 100644
--- a/include/plugin_api.inc.php
+++ b/include/plugin_api.inc.php
@@ -363,7 +363,7 @@ class serendipity_plugin_api {
         global $serendipity;
 
         $admin = '';
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && $placement == 'hidden') {
+        if (!serendipity_checkPermission('adminPlugins') && $placement == 'hidden') {
             // Only administrators can set plugins to 'hidden' if they are not the owners.
             $admin = " AND (authorid = 0 OR authorid = {$serendipity['authorid']})";
         }
@@ -388,7 +388,7 @@ class serendipity_plugin_api {
         }
 
         $admin = '';
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN) {
+        if (!serendipity_checkPermission('adminPlugins')) {
             $admin = " AND (authorid = 0 OR authorid = {$serendipity['authorid']})";
         }
 
diff --git a/include/tpl/config_local.inc.php b/include/tpl/config_local.inc.php
index 365fc26..889666e 100644
--- a/include/tpl/config_local.inc.php
+++ b/include/tpl/config_local.inc.php
@@ -13,6 +13,7 @@
                                           'description' => INSTALL_DBTYPE_DESC,
                                           'type'        => 'list',
                                           'default'     => array(),
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('nosave', 'simpleInstall', 'probeDefault')),
 
                                     array('var'         => 'dbHost',
@@ -20,6 +21,7 @@
                                           'description' => INSTALL_DBHOST_DESC,
                                           'type'        => 'string',
                                           'default'     => 'localhost',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('nosave', 'simpleInstall')),
 
                                     array('var'         => 'dbUser',
@@ -27,6 +29,7 @@
                                           'description' => INSTALL_DBUSER_DESC,
                                           'type'        => 'string',
                                           'default'     => 'serendipity',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('nosave', 'simpleInstall')),
 
                                     array('var'         => 'dbPass',
@@ -34,6 +37,7 @@
                                           'description' => INSTALL_DBPASS_DESC,
                                           'type'        => 'protected',
                                           'default'     => '',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('nosave', 'hideValue', 'simpleInstall')),
 
                                     array('var'         => 'dbName',
@@ -41,6 +45,7 @@
                                           'description' => INSTALL_DBNAME_DESC,
                                           'type'        => 'string',
                                           'default'     => 'serendipity',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('nosave', 'simpleInstall')),
 
                                     array('var'         => 'dbPrefix',
@@ -48,6 +53,7 @@
                                           'description' => INSTALL_DBPREFIX_DESC,
                                           'type'        => 'string',
                                           'default'     => 'serendipity_',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('nosave')),
 
                                     array('var'         => 'dbPersistent',
@@ -55,6 +61,7 @@
                                           'description' => INSTALL_DBPERSISTENT_DESC,
                                           'type'        => 'bool',
                                           'default'     => false,
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('nosave'))
                                 ));
 
@@ -65,48 +72,56 @@
                                           'title'       => INSTALL_FULLPATH,
                                           'description' => INSTALL_FULLPATH_DESC,
                                           'type'        => 'string',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => '/webroot/serendipity/'),
 
                                     array('var'         => 'uploadPath',
                                           'title'       => INSTALL_UPLOADPATH,
                                           'description' => INSTALL_UPLOADPATH_DESC,
                                           'type'        => 'string',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => 'uploads/'),
 
                                     array('var'         => 'serendipityHTTPPath',
                                           'title'       => INSTALL_RELPATH,
                                           'description' => INSTALL_RELPATH_DESC,
                                           'type'        => 'string',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => '/serendipity/'),
 
                                     array('var'         => 'templatePath',
                                           'title'       => INSTALL_RELTEMPLPATH,
                                           'description' => INSTALL_RELTEMPLPATH_DESC,
                                           'type'        => 'string',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => 'templates/'),
 
                                     array('var'         => 'uploadHTTPPath',
                                           'title'       => INSTALL_RELUPLOADPATH,
                                           'description' => INSTALL_RELUPLOADPATH_DESC,
                                           'type'        => 'string',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => 'uploads/'),
 
                                     array('var'         => 'baseURL',
                                           'title'       => INSTALL_URL,
                                           'description' => INSTALL_URL_DESC,
                                           'type'        => 'string',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => 'http://www.example.com/serendipity/'),
 
                                     array('var'         => 'autodetect_baseURL',
                                           'title'       => INSTALL_AUTODETECT_URL,
                                           'description' => INSTALL_AUTODETECT_URL_DESC,
                                           'type'        => 'bool',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => false),
 
                                     array('var'         => 'indexFile',
                                           'title'       => INSTALL_INDEXFILE,
                                           'description' => INSTALL_INDEXFILE_DESC,
                                           'type'        => 'string',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => 'index.php'),
                                 ));
 
@@ -120,6 +135,7 @@
                                           'description' => INSTALL_PERMALINK_DESC,
                                           'type'        => 'string',
                                           'default'     => 'archives/%id%-%title%.html',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkAuthorStructure',
@@ -127,6 +143,7 @@
                                           'description' => INSTALL_PERMALINK_AUTHOR_DESC,
                                           'type'        => 'string',
                                           'default'     => 'authors/%id%-%realname%',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkCategoryStructure',
@@ -134,6 +151,7 @@
                                           'description' => INSTALL_PERMALINK_CATEGORY_DESC,
                                           'type'        => 'string',
                                           'default'     => 'categories/%id%-%name%',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkFeedCategoryStructure',
@@ -141,6 +159,7 @@
                                           'description' => INSTALL_PERMALINK_FEEDCATEGORY_DESC,
                                           'type'        => 'string',
                                           'default'     => 'feeds/categories/%id%-%name%.rss',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkArchivesPath',
@@ -148,6 +167,7 @@
                                           'description' => '',
                                           'type'        => 'string',
                                           'default'     => 'archives',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkArchivePath',
@@ -155,6 +175,7 @@
                                           'description' => '',
                                           'type'        => 'string',
                                           'default'     => 'archive',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkCategoriesPath',
@@ -162,6 +183,7 @@
                                           'description' => '',
                                           'type'        => 'string',
                                           'default'     => 'categories',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkUnsubscribePath',
@@ -169,6 +191,7 @@
                                           'description' => '',
                                           'type'        => 'string',
                                           'default'     => 'unsubscribe',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkDeletePath',
@@ -176,6 +199,7 @@
                                           'description' => '',
                                           'type'        => 'string',
                                           'default'     => 'delete',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkApprovePath',
@@ -183,6 +207,7 @@
                                           'description' => '',
                                           'type'        => 'string',
                                           'default'     => 'approve',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkFeedsPath',
@@ -190,6 +215,7 @@
                                           'description' => '',
                                           'type'        => 'string',
                                           'default'     => 'feeds',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkPluginPath',
@@ -197,6 +223,7 @@
                                           'description' => '',
                                           'type'        => 'string',
                                           'default'     => 'plugin',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkAdminPath',
@@ -204,6 +231,7 @@
                                           'description' => '',
                                           'type'        => 'string',
                                           'default'     => 'admin',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                                     array('var'         => 'permalinkSearchPath',
@@ -211,6 +239,7 @@
                                           'description' => '',
                                           'type'        => 'string',
                                           'default'     => 'search',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('ifEmpty')),
 
                     )
@@ -224,6 +253,7 @@
                                           'description' => INSTALL_USERNAME_DESC,
                                           'type'        => 'string',
                                           'default'     => 'John Doe',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('installOnly', 'local', 'simpleInstall')),
 
                                     array('var'         => 'pass',
@@ -231,6 +261,7 @@
                                           'description' => INSTALL_PASSWORD_DESC,
                                           'type'        => 'protected',
                                           'default'     => 'john',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('installOnly', 'local', 'simpleInstall')),
 
                                     array('var'         => 'realname',
@@ -238,6 +269,7 @@
                                           'description' => USERCONF_REALNAME_DESC,
                                           'type'        => 'string',
                                           'default'     => 'John Doe',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('installOnly', 'local', 'simpleInstall')),
 
                                     array('var'         => 'email',
@@ -245,6 +277,7 @@
                                           'description' => INSTALL_EMAIL_DESC,
                                           'type'        => 'string',
                                           'default'     => 'john@example.com',
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('installOnly', 'local', 'simpleInstall')),
 
                                     array('var'         => 'want_mail',
@@ -252,12 +285,14 @@
                                           'description' => INSTALL_SENDMAIL_DESC,
                                           'type'        => 'bool',
                                           'default'     => true,
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('installOnly', 'local')),
 
                                     array('var'         => 'allowSubscriptions',
                                           'title'       => INSTALL_SUBSCRIBE,
                                           'description' => INSTALL_SUBSCRIBE_DESC,
                                           'type'        => 'bool',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => true),
 
                                     array('var'         => 'blogTitle',
@@ -265,7 +300,7 @@
                                           'description' => INSTALL_BLOGNAME_DESC,
                                           'type'        => 'string',
                                           'default'     => 'John Doe\'s personal blog',
-                                          'userlevel'   => USERLEVEL_CHIEF,
+                                          'permission'  => 'blogConfiguration',
                                           'flags'       => array('simpleInstall')),
 
                                     array('var'         => 'blogDescription',
@@ -273,7 +308,7 @@
                                           'description' => INSTALL_BLOGDESC_DESC,
                                           'type'        => 'string',
                                           'default'     => 'My little place on the web...',
-                                          'userlevel'   => USERLEVEL_CHIEF,
+                                          'permission'  => 'blogConfiguration',
                                           'flags'       => array('simpleInstall')),
 
                                     array('var'         => 'lang',
@@ -281,12 +316,14 @@
                                           'description' => INSTALL_LANG_DESC,
                                           'type'        => 'list',
                                           'default'     => $serendipity['languages'],
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('simpleInstall')),
 
                                     array('var'         => 'calendar',
                                           'title'       => INSTALL_CAL,
                                           'description' => INSTALL_CAL_DESC,
                                           'type'        => 'list',
+                                          'permission'  => 'blogConfiguration',
                                           'default'     => $serendipity['calendars']),
 
                                     array('var'         => 'lang_content_negotiation',
@@ -294,7 +331,7 @@
                                           'description' => AUTOLANG_DESC,
                                           'type'        => 'bool',
                                           'default'     => false,
-                                          'userlevel'   => USERLEVEL_CHIEF),
+                                          'permission'  => 'blogConfiguration'),
                             ));
 
     $res['display'] =
@@ -305,12 +342,13 @@
                                           'description' => INSTALL_FETCHLIMIT_DESC,
                                           'type'        => 'int',
                                           'default'     => 15,
-                                          'userlevel'   => USERLEVEL_CHIEF),
+                                          'permission'  => 'blogConfiguration'),
 
                                     array('var'         => 'useGzip',
                                           'title'       => INSTALL_USEGZIP,
                                           'description' => INSTALL_USEGZIP_DESC,
                                           'type'        => 'bool',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => false),
 
                                     array('var'         => 'wysiwyg',
@@ -318,13 +356,14 @@
                                           'description' => INSTALL_WYSIWYG_DESC,
                                           'type'        => 'bool',
                                           'default'     => false,
-                                          'userlevel'   => USERLEVEL_CHIEF,
+                                          'permission'  => 'blogConfiguration',
                                           'flags'       => array('simpleInstall', 'installOnly')),
 
                                     array('var'         => 'XHTML11',
                                           'title'       => INSTALL_XHTML11,
                                           'description' => INSTALL_XHTML11_DESC,
                                           'type'        => 'bool',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => false),
 
                                     array('var'         => 'enablePopup',
@@ -332,18 +371,20 @@
                                           'description' => INSTALL_POPUP_DESC,
                                           'type'        => 'bool',
                                           'default'     => false,
-                                          'userlevel'   => USERLEVEL_CHIEF),
+                                          'permission'  => 'blogConfiguration'),
 
                                     array('var'         => 'embed',
                                           'title'       => INSTALL_EMBED,
                                           'description' => INSTALL_EMBED_DESC,
                                           'type'        => 'bool',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => 'false'),
 
                                     array('var'         => 'top_as_links',
                                           'title'       => INSTALL_SHOW_EXTERNAL_LINKS,
                                           'description' => INSTALL_SHOW_EXTERNAL_LINKS_DESC,
                                           'type'        => 'bool',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => false),
 
                                     array('var'         => 'blockReferer',
@@ -351,13 +392,14 @@
                                           'description' => INSTALL_BLOCKREF_DESC,
                                           'type'        => 'string',
                                           'default'     => ';',
-                                          'userlevel'   => USERLEVEL_CHIEF),
+                                          'permission'  => 'blogConfiguration'),
 
                                     array('var'         => 'rewrite',
                                           'title'       => INSTALL_REWRITE,
                                           'description' => INSTALL_REWRITE_DESC,
                                           'type'        => 'list',
                                           'default'     => array(),
+                                          'permission'  => 'siteConfiguration',
                                           'flags'       => array('probeDefault')),
 
                                     array('var'         => 'serverOffsetHours',
@@ -365,7 +407,7 @@
                                           'description' => INSTALL_OFFSET_DESC,
                                           'type'        => 'int',
                                           'default'     => 0,
-                                          'userlevel'   => USERLEVEL_CHIEF,
+                                          'permission'  => 'blogConfiguration',
                                           'flags'       => array('parseDescription')),
 
                                     array('var'         => 'showFutureEntries',
@@ -373,7 +415,7 @@
                                           'description' => INSTALL_SHOWFUTURE_DESC,
                                           'type'        => 'bool',
                                           'default'     => false,
-                                          'userlevel'   => USERLEVEL_CHIEF),
+                                          'permission'  => 'blogConfiguration'),
                             ));
 
     $res['imagehandling'] =
@@ -383,24 +425,28 @@
                                           'title'       => INSTALL_IMAGEMAGICK,
                                           'description' => INSTALL_IMAGEMAGICK_DESC,
                                           'type'        => 'bool',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => false),
 
                                     array('var'         => 'convert',
                                           'title'       => INSTALL_IMAGEMAGICKPATH,
                                           'description' => INSTALL_IMAGEMAGICKPATH_DESC,
                                           'type'        => 'string',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => '/usr/local/bin/convert'),
 
                                     array('var'         => 'thumbSuffix',
                                           'title'       => INSTALL_THUMBSUFFIX,
                                           'description' => INSTALL_THUMBSUFFIX_DESC,
                                           'type'        => 'string',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => 'serendipityThumb'),
 
                                     array('var'         => 'thumbSize',
                                           'title'       => INSTALL_THUMBWIDTH,
                                           'description' => INSTALL_THUMBWIDTH_DESC,
                                           'type'        => 'int',
+                                          'permission'  => 'siteConfiguration',
                                           'default'     => 110),
                             ));
 
diff --git a/include/tpl/config_personal.inc.php b/include/tpl/config_personal.inc.php
index fb59d70..47feb79 100644
--- a/include/tpl/config_personal.inc.php
+++ b/include/tpl/config_personal.inc.php
@@ -13,42 +13,51 @@
                                           'description' => USERCONF_USERNAME_DESC,
                                           'type'        => 'string',
                                           'default'     => 'johndoe',
-                                          'userlevel'   => USERLEVEL_EDITOR),
+                                          'permission'  => 'personalConfiguration'),
 
                                     array('var'         => 'password',
                                           'title'       => USERCONF_PASSWORD,
                                           'description' => USERCONF_PASSWORD_DESC,
                                           'type'        => 'protected',
                                           'default'     => '',
-                                          'userlevel'   => USERLEVEL_EDITOR),
+                                          'permission'  => 'personalConfiguration'),
 
                                     array('var'         => 'realname',
                                           'title'       => USERCONF_REALNAME,
                                           'description' => USERCONF_REALNAME_DESC,
                                           'type'        => 'string',
                                           'default'     => 'John Doe',
-                                          'userlevel'   => USERLEVEL_EDITOR),
+                                          'permission'  => 'personalConfiguration'),
 
                                     array('var'         => 'userlevel',
                                           'title'       => USERCONF_USERLEVEL,
-                                          'description' => USERCONF_USERLEVEL_DESC,
+                                          'description' => USERCONF_USERLEVEL_DESC . "\n" . USERLEVEL_OBSOLETE,
                                           'type'        => 'list',
                                           'default'     => $serendipity['permissionLevels'],
-                                          'userlevel'   => USERLEVEL_CHIEF),
+                                          'permission'  => 'personalConfigurationUserlevel'),
+
+                                    array('var'         => 'groups',
+                                          'title'       => USERCONF_GROUPS,
+                                          'description' => USERCONF_GROUPS_DESC,
+                                          'type'        => 'multilist',
+                                          'permission'  => array('adminUsersMaintainOthers', 'adminUsersMaintainSame'),
+                                          'perm_mode'   => 'or', 
+                                          'default'     => serendipity_getAllGroups(),
+                                          'flags'       => array('groups')),
 
                                     array('var'         => 'email',
                                           'title'       => USERCONF_EMAIL,
                                           'description' => USERCONF_EMAIL_DESC,
                                           'type'        => 'string',
                                           'default'     => 'john@example.com',
-                                          'userlevel'   => USERLEVEL_EDITOR),
+                                          'permission'  => 'personalConfiguration'),
 
                                     array('var'         => 'lang',
                                           'title'       => INSTALL_LANG,
                                           'description' => INSTALL_LANG_DESC,
                                           'type'        => 'list',
                                           'default'     => $serendipity['languages'],
-                                          'userlevel'   => USERLEVEL_EDITOR,
+                                          'permission'  => 'personalConfiguration',
                                           'flags'       => array('config')),
 
                                     array('var'         => 'wysiwyg',
@@ -56,7 +65,7 @@
                                           'description' => INSTALL_WYSIWYG_DESC,
                                           'type'        => 'bool',
                                           'default'     => false,
-                                          'userlevel'   => USERLEVEL_EDITOR,
+                                          'permission'  => 'personalConfiguration',
                                           'flags'       => array('config')),
 
                                     array('var'         => 'mail_comments',
@@ -64,21 +73,21 @@
                                           'description' => USERCONF_SENDCOMMENTS_DESC,
                                           'type'        => 'bool',
                                           'default'     => true,
-                                          'userlevel'   => USERLEVEL_EDITOR),
+                                          'permission'  => 'personalConfiguration'),
 
                                     array('var'         => 'mail_trackbacks',
                                           'title'       => USERCONF_SENDTRACKBACKS,
                                           'description' => USERCONF_SENDTRACKBACKS_DESC,
                                           'type'        => 'bool',
                                           'default'     => true,
-                                          'userlevel'   => USERLEVEL_EDITOR),
+                                          'permission'  => 'personalConfiguration'),
 
                                     array('var'         => 'no_create',
                                           'title'       => USERCONF_CREATE,
                                           'description' => USERCONF_CREATE_DESC,
                                           'type'        => 'bool',
                                           'default'     => false,
-                                          'userlevel'   => USERLEVEL_CHIEF,
+                                          'permission'  => 'personalConfigurationNoCreate',
                                           'flags'       => array('config')),
 
                                     array('var'         => 'right_publish',
@@ -86,7 +95,7 @@
                                           'description' => USERCONF_ALLOWPUBLISH_DESC,
                                           'type'        => 'bool',
                                           'default'     => true,
-                                          'userlevel'   => USERLEVEL_CHIEF),
+                                          'permission'  => 'personalConfigurationRightPublish')
                             ));
 
     $res['defaults'] =
@@ -98,7 +107,7 @@
                                           'description' => '',
                                           'type'        => 'bool',
                                           'default'     => false,
-                                          'userlevel'   => USERLEVEL_EDITOR,
+                                          'permission'  => 'personalConfiguration',
                                           'flags'       => array('config')),
 
                                     array('var'         => 'allowCommentsDefault',
@@ -106,7 +115,7 @@
                                           'description' => '',
                                           'type'        => 'bool',
                                           'default'     => true,
-                                          'userlevel'   => USERLEVEL_EDITOR,
+                                          'permission'  => 'personalConfiguration',
                                           'flags'       => array('config')),
 
                                     array('var'         => 'publishDefault',
@@ -114,7 +123,7 @@
                                           'description' => '',
                                           'type'        => 'list',
                                           'default'     => array('publish' => PUBLISH, 'draft' => DRAFT),
-                                          'userlevel'   => USERLEVEL_EDITOR,
+                                          'permission'  => 'personalConfiguration',
                                           'flags'       => array('config')),
                             ));
 
diff --git a/lang/serendipity_lang_bg.inc.php b/lang/serendipity_lang_bg.inc.php
index 41e2e3c..5975185 100644
--- a/lang/serendipity_lang_bg.inc.php
+++ b/lang/serendipity_lang_bg.inc.php
@@ -681,6 +681,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_cn.inc.php b/lang/serendipity_lang_cn.inc.php
index b000562..28e8d31 100644
--- a/lang/serendipity_lang_cn.inc.php
+++ b/lang/serendipity_lang_cn.inc.php
@@ -695,6 +695,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_cs.inc.php b/lang/serendipity_lang_cs.inc.php
index 12c467d..a4dca45 100644
--- a/lang/serendipity_lang_cs.inc.php
+++ b/lang/serendipity_lang_cs.inc.php
@@ -697,6 +697,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
\ No newline at end of file
diff --git a/lang/serendipity_lang_cz.inc.php b/lang/serendipity_lang_cz.inc.php
index 041a60d..57803e1 100644
--- a/lang/serendipity_lang_cz.inc.php
+++ b/lang/serendipity_lang_cz.inc.php
@@ -697,6 +697,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
\ No newline at end of file
diff --git a/lang/serendipity_lang_da.inc.php b/lang/serendipity_lang_da.inc.php
index 1eab87f..19209aa 100644
--- a/lang/serendipity_lang_da.inc.php
+++ b/lang/serendipity_lang_da.inc.php
@@ -697,6 +697,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_de.inc.php b/lang/serendipity_lang_de.inc.php
index f87fbbd..6eabb4b 100644
--- a/lang/serendipity_lang_de.inc.php
+++ b/lang/serendipity_lang_de.inc.php
@@ -696,6 +696,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_en.inc.php b/lang/serendipity_lang_en.inc.php
index 0be2c49..e966400 100644
--- a/lang/serendipity_lang_en.inc.php
+++ b/lang/serendipity_lang_en.inc.php
@@ -694,6 +694,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_es.inc.php b/lang/serendipity_lang_es.inc.php
index c43002e..12e2dcc 100644
--- a/lang/serendipity_lang_es.inc.php
+++ b/lang/serendipity_lang_es.inc.php
@@ -699,6 +699,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
\ No newline at end of file
diff --git a/lang/serendipity_lang_fa.inc.php b/lang/serendipity_lang_fa.inc.php
index ad170b9..62ef16b 100644
--- a/lang/serendipity_lang_fa.inc.php
+++ b/lang/serendipity_lang_fa.inc.php
@@ -696,6 +696,16 @@
 @define('INSTALL_CAL', 'تقویم');
 @define('INSTALL_CAL_DESC', 'نوع تقویم خود را انتخاب کنید');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_fi.inc.php b/lang/serendipity_lang_fi.inc.php
index 1048f37..264234e 100644
--- a/lang/serendipity_lang_fi.inc.php
+++ b/lang/serendipity_lang_fi.inc.php
@@ -694,6 +694,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_fr.inc.php b/lang/serendipity_lang_fr.inc.php
index 7d378ee..cc1a3dd 100644
--- a/lang/serendipity_lang_fr.inc.php
+++ b/lang/serendipity_lang_fr.inc.php
@@ -702,6 +702,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
\ No newline at end of file
diff --git a/lang/serendipity_lang_is.inc.php b/lang/serendipity_lang_is.inc.php
index 1971cf3..96aeb7f 100644
--- a/lang/serendipity_lang_is.inc.php
+++ b/lang/serendipity_lang_is.inc.php
@@ -694,6 +694,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_it.inc.php b/lang/serendipity_lang_it.inc.php
index 1ecec81..0d158b4 100644
--- a/lang/serendipity_lang_it.inc.php
+++ b/lang/serendipity_lang_it.inc.php
@@ -696,6 +696,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_ja.inc.php b/lang/serendipity_lang_ja.inc.php
index d09e185..ac8261c 100644
--- a/lang/serendipity_lang_ja.inc.php
+++ b/lang/serendipity_lang_ja.inc.php
@@ -696,6 +696,16 @@ Serendipity のアップグレードステージを無視しました。正し
 @define('INSTALL_CAL', 'カレンダーの種類');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_ko.inc.php b/lang/serendipity_lang_ko.inc.php
index 9a42c7c..4c4bd81 100644
--- a/lang/serendipity_lang_ko.inc.php
+++ b/lang/serendipity_lang_ko.inc.php
@@ -699,6 +699,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_nl.inc.php b/lang/serendipity_lang_nl.inc.php
index dc88a66..fad720a 100644
--- a/lang/serendipity_lang_nl.inc.php
+++ b/lang/serendipity_lang_nl.inc.php
@@ -698,6 +698,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_no.inc.php b/lang/serendipity_lang_no.inc.php
index 1f31bd5..2eac95a 100644
--- a/lang/serendipity_lang_no.inc.php
+++ b/lang/serendipity_lang_no.inc.php
@@ -697,5 +697,15 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 ?>
diff --git a/lang/serendipity_lang_pt.inc.php b/lang/serendipity_lang_pt.inc.php
index 0a0485d..75fc183 100644
--- a/lang/serendipity_lang_pt.inc.php
+++ b/lang/serendipity_lang_pt.inc.php
@@ -697,6 +697,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_ro.inc.php b/lang/serendipity_lang_ro.inc.php
index c1c8bcb..41e66a3 100644
--- a/lang/serendipity_lang_ro.inc.php
+++ b/lang/serendipity_lang_ro.inc.php
@@ -694,6 +694,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_ru.inc.php b/lang/serendipity_lang_ru.inc.php
index e3caf2d..bfda7e6 100644
--- a/lang/serendipity_lang_ru.inc.php
+++ b/lang/serendipity_lang_ru.inc.php
@@ -697,6 +697,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_se.inc.php b/lang/serendipity_lang_se.inc.php
index ee0c960..c748179 100644
--- a/lang/serendipity_lang_se.inc.php
+++ b/lang/serendipity_lang_se.inc.php
@@ -696,6 +696,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
\ No newline at end of file
diff --git a/lang/serendipity_lang_tn.inc.php b/lang/serendipity_lang_tn.inc.php
index 0da1c27..f5498c9 100644
--- a/lang/serendipity_lang_tn.inc.php
+++ b/lang/serendipity_lang_tn.inc.php
@@ -695,6 +695,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/lang/serendipity_lang_tw.inc.php b/lang/serendipity_lang_tw.inc.php
index fe70acc..bc19a8d 100644
--- a/lang/serendipity_lang_tw.inc.php
+++ b/lang/serendipity_lang_tw.inc.php
@@ -695,5 +695,15 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 ?>
diff --git a/lang/serendipity_lang_zh.inc.php b/lang/serendipity_lang_zh.inc.php
index c903f37..4990098 100644
--- a/lang/serendipity_lang_zh.inc.php
+++ b/lang/serendipity_lang_zh.inc.php
@@ -695,6 +695,16 @@
 @define('INSTALL_CAL', 'Calendar Type');
 @define('INSTALL_CAL_DESC', 'Choose your desired Calendar format');
 @define('REPLY', 'Reply');
+@define('USERCONF_GROUPS', 'Group Memberships');
+@define('USERCONF_GROUPS_DESC', 'This user is a member of the following groups. Multiple memberships are possible.');
+@define('MANAGE_GROUPS', 'Manage groups');
+@define('DELETED_GROUP', 'Group #%d %s deleted.');
+@define('CREATED_GROUP', 'A new group %s has been created');
+@define('MODIFIED_GROUP', 'The properties of group %s have been changed');
+@define('GROUP', 'Group');
+@define('CREATE_NEW_GROUP', 'Create new group');
+@define('DELETE_GROUP', 'You are about to delete group #%d %s. Are you serious?');
+@define('USERLEVEL_OBSOLETE', 'NOTICE: The userlevel attribute is now only used for backward compatibility to plugins and fallback authorisation. User privileges are now handled by group memberships!');
 
 /* vim: set sts=4 ts=4 expandtab : */
 ?>
diff --git a/plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php b/plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php
index 41d7317..6f0a09c 100644
--- a/plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php
+++ b/plugins/serendipity_event_entryproperties/serendipity_event_entryproperties.php
@@ -13,7 +13,7 @@ switch ($serendipity['lang']) {
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_STICKYPOSTS', 'Dauerhafte Artikel');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS', 'Artikel können gelesen werden von');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_PRIVATE', 'mir selbst');
-        @define('PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_MEMBER', 'Co-Autoren');
+        @define('PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_MEMBERS', 'Co-Autoren');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_PUBLIC', 'allen');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_CACHE', 'Artikel cachen?');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_CACHE_DESC', 'Falls diese Option aktiviert ist, wird eine Cache-Version des Artikels gespeichert. Dieses Caching wird zwar die Performance erhöhen, aber Flexibilität anderer Plugins eventuell einschränken.');
@@ -27,6 +27,8 @@ switch ($serendipity['lang']) {
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_CACHE_TOTAL', ' (insgesamt %d Artikel vorhanden)...');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_NL2BR', 'Automatischen Zeilenumbruch deaktivieren');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_NO_FRONTPAGE', 'Nicht in Artikelübersicht zeigen');
+        @define('PLUGIN_EVENT_ENTRYPROPERTIES_GROUPS', 'Leserechte auf Gruppen beschränken');
+        @define('PLUGIN_EVENT_ENTRYPROPERTIES_GROUPS_DESC', 'Wenn aktiviert, können Leserechte abhängig von Gruppen vergeben werden. Dies wirkt sich auf die Performance der Artikelübersicht stark aus. Aktivieren Sie die Option daher nur, wenn Sie sie wirklich benötigen.');
         break;
 
     case 'en':
@@ -37,7 +39,7 @@ switch ($serendipity['lang']) {
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_STICKYPOSTS', 'Mark this entry as a Sticky Post');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS', 'Entries can be read by');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_PRIVATE', 'Myself');
-        @define('PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_MEMBER', 'Co-authors');
+        @define('PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_MEMBERS', 'Co-authors');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_PUBLIC', 'Everyone');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_CACHE', 'Allow to cache entries?');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_CACHE_DESC', 'If enabled, a cached version will be generated on every saving. Caching will increase performance, but maybe decrease flexibility for other plugins.');
@@ -51,6 +53,8 @@ switch ($serendipity['lang']) {
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_CACHE_TOTAL', ' (totalling %d entries)...');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_NL2BR', 'Disable nl2br');
         @define('PLUGIN_EVENT_ENTRYPROPERTIES_NO_FRONTPAGE', 'Hide from article overview / frontpage');
+        @define('PLUGIN_EVENT_ENTRYPROPERTIES_GROUPS', 'Use group-based restrictions');
+        @define('PLUGIN_EVENT_ENTRYPROPERTIES_GROUPS_DESC', 'If enabled, you can define which users of a usergroup may be able to read entries. This option has a large impact on the performance of your article overview. Only enable this if you are really going to use this feature.');
         break;
 }
 
@@ -67,7 +71,7 @@ class serendipity_event_entryproperties extends serendipity_event
         $propbag->add('description',   PLUGIN_EVENT_ENTRYPROPERTIES_DESC);
         $propbag->add('stackable',     false);
         $propbag->add('author',        'Garvin Hicking');
-        $propbag->add('version',       '1.1');
+        $propbag->add('version',       '1.2');
         $propbag->add('requirements',  array(
             'serendipity' => '0.8',
             'smarty'      => '2.6.7',
@@ -90,7 +94,7 @@ class serendipity_event_entryproperties extends serendipity_event
             'frontend_entryproperties_query'                    => true
         ));
 
-        $propbag->add('configuration', array('cache', 'default_read'));
+        $propbag->add('configuration', array('cache', 'use_groups', 'default_read'));
     }
 
     function introspect_config_item($name, &$propbag)
@@ -101,14 +105,21 @@ class serendipity_event_entryproperties extends serendipity_event
                 $propbag->add('name',        USE_DEFAULT . ': ' . PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS);
                 $propbag->add('description', '');
                 $propbag->add('radio', array(
-                    'value' => array('private', 'member', 'public'),
-                    'desc'  => array(PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_PRIVATE, PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_MEMBER, PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_PUBLIC)
+                    'value' => array('private', 'public', 'member'),
+                    'desc'  => array(PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_PRIVATE, PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_PUBLIC, PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_MEMBERS)
                 ));
                 $propbag->add('default',     'public');
                 $propbag->add('radio_per_row', '1');
 
                 break;
 
+            case 'use_groups':
+                $propbag->add('type',        'boolean');
+                $propbag->add('name',        PLUGIN_EVENT_ENTRYPROPERTIES_GROUPS);
+                $propbag->add('description', PLUGIN_EVENT_ENTRYPROPERTIES_GROUPS_DESC);
+                $propbag->add('default',     'false');
+                break;
+
             case 'cache':
                 $propbag->add('type',        'boolean');
                 $propbag->add('name',        PLUGIN_EVENT_ENTRYPROPERTIES_CACHE);
@@ -141,7 +152,7 @@ class serendipity_event_entryproperties extends serendipity_event
     }
 
     function getSupportedProperties() {
-        static $supported_properties = array('is_sticky', 'access', 'cache_body', 'cache_extended', 'no_nl2br', 'no_frontpage');
+        static $supported_properties = array('is_sticky', 'access', 'access_groups', 'cache_body', 'cache_extended', 'no_nl2br', 'no_frontpage');
 
         return $supported_properties;
     }
@@ -164,15 +175,18 @@ class serendipity_event_entryproperties extends serendipity_event
         foreach($supported_properties AS $prop_key) {
             $prop_val = (isset($properties[$prop_key]) ? $properties[$prop_key] : null);
             $prop_key = 'ep_' . $prop_key;
-            if (!isset($property[$prop_key]) && !empty($prop_val)) {
-                $q = "INSERT INTO {$serendipity['dbPrefix']}entryproperties (entryid, property, value) VALUES (" . (int)$eventData['id'] . ", '" . serendipity_db_escape_string($prop_key) . "', '" . serendipity_db_escape_string($prop_val) . "')";
-            } elseif ($property[$propkey] != $prop_val && !empty($prop_val)) {
-                $q = "UPDATE {$serendipity['dbPrefix']}entryproperties SET value = '" . serendipity_db_escape_string($prop_val) . "' WHERE entryid = " . (int)$eventData['id'] . " AND property = '" . serendipity_db_escape_string($prop_key) . "'";
-            } else {
-                $q = "DELETE FROM {$serendipity['dbPrefix']}entryproperties WHERE entryid = " . (int)$eventData['id'] . " AND property = '" . serendipity_db_escape_string($prop_key) . "'";
+            
+            if (is_array($prop_val)) {
+                $prop_val = ";" . implode(';', $prop_val) . ";";
             }
-
+            
+            $q = "DELETE FROM {$serendipity['dbPrefix']}entryproperties WHERE entryid = " . (int)$eventData['id'] . " AND property = '" . serendipity_db_escape_string($prop_key) . "'";
             serendipity_db_query($q);
+
+            if (!isset($property[$prop_key]) && !empty($prop_val) || $property[$propkey] != $prop_val && !empty($prop_val)) {
+                $q = "INSERT INTO {$serendipity['dbPrefix']}entryproperties (entryid, property, value) VALUES (" . (int)$eventData['id'] . ", '" . serendipity_db_escape_string($prop_key) . "', '" . serendipity_db_escape_string($prop_val) . "')";
+                serendipity_db_query($q);
+            }
         }
     }
 
@@ -181,6 +195,8 @@ class serendipity_event_entryproperties extends serendipity_event
 
         $hooks = &$bag->get('event_hooks');
         $is_cache = serendipity_db_bool($this->get_config('cache', 'true'));
+        $use_groups = serendipity_db_bool($this->get_config('use_groups'));
+
         if (isset($hooks[$event])) {
             switch($event) {
                 case 'frontend_entryproperties_query':
@@ -205,8 +221,8 @@ class serendipity_event_entryproperties extends serendipity_event
 
                     $access_values = array(
                         PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_PRIVATE => 'private',
-                        PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_MEMBER  => 'member',
                         PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_PUBLIC  => 'public',
+                        PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS_MEMBERS => 'member',
                     );
 
                     if (isset($eventData['properties']['ep_access'])) {
@@ -216,6 +232,14 @@ class serendipity_event_entryproperties extends serendipity_event
                     } else {
                         $access = $this->get_config('default_read', 'public');
                     }
+                    
+                    if (isset($eventData['properties']['ep_access_groups'])) {
+                        $access_groups = explode(';', $eventData['properties']['ep_access_groups']);
+                    } elseif (isset($serendipity['POST']['properties']['access_groups'])) {
+                        $access_groups = $serendipity['POST']['properties']['access_groups'];
+                    } else {
+                        $access_groups = array();
+                    }
 ?>
                     <fieldset style="margin: 5px">
                         <legend><?php echo PLUGIN_EVENT_ENTRYPROPERTIES_TITLE; ?></legend>
@@ -229,7 +253,9 @@ class serendipity_event_entryproperties extends serendipity_event
 
 <?php } ?>
 
-                            <?php echo PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS; ?>:
+                            <br />
+                            <?php echo PLUGIN_EVENT_ENTRYPROPERTIES_ACCESS; ?>:<br />
+                            <div style="margin-left: 10px">
 <?php
                     foreach($access_values AS $radio_title => $radio_value) {
 ?>
@@ -237,7 +263,21 @@ class serendipity_event_entryproperties extends serendipity_event
                                 <label title="<?php echo $radio_title; ?>" for="properties_access_<?php echo $radio_value; ?>">&nbsp;<?php echo $radio_title; ?>&nbsp;&nbsp;</label>
 <?php
                     }
+                    
+                    if ($use_groups) {
+                        $my_groups = serendipity_getGroups($serendipity['authorid']);
+?>
+                            <br /><select onchange="document.getElementById('properties_access_member').checked = true;" style="margin-left: 5px" multiple="multiple" name="serendipity[properties][access_groups][]" size="4">
+<?php
+                        foreach($my_groups AS $group) {
+?>
+                                <option value="<?php echo $group['id']; ?>" <?php echo (in_array($group['id'], $access_groups) ? 'selected="selected"' : ''); ?>><?php echo htmlspecialchars($group['name']); ?></option>
+<?php
+                        }
+                    }
 ?>
+                            </select>
+                            </div>
                             <br />
                     </fieldset>
 <?php
@@ -346,6 +386,10 @@ class serendipity_event_entryproperties extends serendipity_event
                         $serendipity['POST']['properties']['cache_body']     = $eventData['body'];
                         $serendipity['POST']['properties']['cache_extended'] = $eventData['extended'];
                     }
+                    
+                    if (is_array($serendipity['POST']['properties']['access_groups']) && $serendipity['POST']['properties']['access'] != 'member') {
+                        unset($serendipity['POST']['properties']['access_groups']);
+                    }
 
                     $this->addProperties($serendipity['POST']['properties'], $eventData);
 
@@ -388,6 +432,15 @@ class serendipity_event_entryproperties extends serendipity_event
                     $conds = array();
                     if ($_SESSION['serendipityAuthedUser'] === true) {
                         $conds[] = " (ep_access.property IS NULL OR ep_access.value = 'member' OR ep_access.value = 'public' OR (ep_access.value = 'private' AND e.authorid = " . (int)$serendipity['authorid'] . ")) ";
+
+                        if ($use_groups) {
+                            $mygroups  = serendipity_checkPermission(null, null, true);
+                            $groupcond = array();
+                            foreach($mygroups AS $mygroup) {
+                                $groupcond[] .= "ep_access_groups.value LIKE '%;$mygroup;%'";
+                            }
+                            $conds[] = " (ep_access_groups.property IS NULL OR ep_access.value = 'member' AND (" . implode(' OR ', $groupcond) . "))";
+                        }
                     } else {
                         $conds[] = " (ep_access.property IS NULL OR ep_access.value = 'public') ";
                     }
@@ -441,6 +494,10 @@ class serendipity_event_entryproperties extends serendipity_event
                     }
                     $joins[] = "LEFT OUTER JOIN {$serendipity['dbPrefix']}entryproperties ep_access
                                              ON (e.id = ep_access.entryid AND ep_access.property = 'ep_access')";
+                    if ($use_groups) {
+                        $joins[] = "LEFT OUTER JOIN {$serendipity['dbPrefix']}entryproperties ep_access_groups
+                                                 ON (e.id = ep_access_groups.entryid AND ep_access_groups.property = 'ep_access_groups')";
+                    }
 
                     if (!isset($addData['noSticky']) || $addData['noSticky'] !== true) {
                         $joins[] = "LEFT JOIN {$serendipity['dbPrefix']}entryproperties ep_sticky
diff --git a/plugins/serendipity_event_statistics/serendipity_event_statistics.php b/plugins/serendipity_event_statistics/serendipity_event_statistics.php
index 4bce669..f9ad744 100644
--- a/plugins/serendipity_event_statistics/serendipity_event_statistics.php
+++ b/plugins/serendipity_event_statistics/serendipity_event_statistics.php
@@ -169,11 +169,9 @@ class serendipity_event_statistics extends serendipity_event
         if (isset($hooks[$event])) {
             switch($event) {
                 case 'backend_sidebar_entries':
-                    // if ($serendipity['serendipityUserlevel'] >= USERLEVEL_EDITOR) {
 ?>
                         <li><a href="?serendipity[adminModule]=event_display&amp;serendipity[adminAction]=statistics"><?php echo PLUGIN_EVENT_STATISTICS_NAME; ?></a></li>
 <?php
-                    // }
 
                     break;
 
diff --git a/serendipity_admin.php b/serendipity_admin.php
index bd2e6c0..19235b2 100644
--- a/serendipity_admin.php
+++ b/serendipity_admin.php
@@ -132,53 +132,74 @@ if (!isset($serendipity['serendipityPath']) || IS_installed === false || IS_up2d
                 <td id="serendipitySideBar">
                     <ul class="serendipitySideBarMenu">
                         <li><a href="serendipity_admin.php"><?php echo ADMIN_FRONTPAGE; ?></a></li>
+<?php if (serendipity_checkPermission('personalConfiguration')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=personal"><?php echo PERSONAL_SETTINGS; ?></a></li>
+<?php } ?>
                     </ul>
                     <br />
-<?php if (!$serendipity['no_create']) { ?>
+<?php if (serendipity_checkPermission('adminEntries')) { ?>
                     <ul class="serendipitySideBarMenu">
                         <li class="serendipitySideBarMenuHead"><?php echo ADMIN_ENTRIES ?></li>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=entries&amp;serendipity[adminAction]=new"><?php echo NEW_ENTRY; ?></a></li>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=entries&amp;serendipity[adminAction]=editSelect"><?php echo EDIT_ENTRIES; ?></a></li>
+<?php if (serendipity_checkPermission('adminComments')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=comments"><?php echo COMMENTS; ?></a></li>
+<?php } ?>
+<?php if (serendipity_checkPermission('adminCategories')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=category&amp;serendipity[adminAction]=view"><?php echo CATEGORIES; ?></a></li>
+<?php } ?>
                         <?php serendipity_plugin_api::hook_event('backend_sidebar_entries', $serendipity); ?>
                     </ul>
 <?php } ?>
-<?php if (!$serendipity['no_create']) { ?>
+<?php if (serendipity_checkPermission('adminImages')) { ?>
                     <ul class="serendipitySideBarMenu">
                         <li class="serendipitySideBarMenuHead"><?php echo MEDIA; ?></li>
+<?php if (serendipity_checkPermission('adminImagesAdd')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=media&amp;serendipity[adminAction]=addSelect"><?php echo ADD_MEDIA; ?></a></li>
+<?php } ?>
+<?php if (serendipity_checkPermission('adminImagesView')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=media"><?php echo MEDIA_LIBRARY; ?></a></li>
-                        <?php if ($serendipity['serendipityUserlevel'] >= USERLEVEL_CHIEF) { ?>
+<?php } ?>
+<?php if (serendipity_checkPermission('adminImagesDirectories')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=media&amp;serendipity[adminAction]=directorySelect"><?php echo MANAGE_DIRECTORIES; ?></a></li>
-                        <?php } ?>
+<?php } ?>
+<?php if (serendipity_checkPermission('adminImagesSync')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=media&amp;serendipity[adminAction]=sync" onclick="return confirm('<?php echo WARNING_THIS_BLAHBLAH; ?>');"><?php echo CREATE_THUMBS; ?></a></li>
+<?php } ?>
                         <?php serendipity_plugin_api::hook_event('backend_sidebar_entries_images', $serendipity); ?>
                     </ul>
 <?php } ?>
-<?php if ($serendipity['serendipityUserlevel'] >= USERLEVEL_CHIEF) { ?>
+<?php if (serendipity_checkPermission('adminTemplates') || serendipity_checkPermission('adminPlugins')) { ?>
                     <ul class="serendipitySideBarMenu">
                         <li class="serendipitySideBarMenuHead"><?php echo APPEARANCE; ?></li>
+<?php if (serendipity_checkPermission('adminTemplates')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=templates"><?php echo MANAGE_STYLES; ?></a></li>
+<?php } ?>
+<?php if (serendipity_checkPermission('adminPlugins')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=plugins"><?php echo CONFIGURE_PLUGINS; ?></a></li>
+<?php } ?>
                         <?php serendipity_plugin_api::hook_event('backend_sidebar_admin_appearance', $serendipity); ?>
                     </ul>
 <?php } ?>
+<?php if (serendipity_checkPermission('siteConfiguration') || serendipity_checkPermission('blogConfiguration') || serendipity_checkPermission('adminUsers') || serendipity_checkPermission('adminUsersGroups') || serendipity_checkPermission('adminImport')) { ?>
                     <ul class="serendipitySideBarMenu">
                         <li class="serendipitySideBarMenuHead"><?php echo ADMIN; ?></li>
-                        <?php if ($serendipity['serendipityUserlevel'] >= USERLEVEL_CHIEF) { ?>
+<?php if (serendipity_checkPermission('siteConfiguration') || serendipity_checkPermission('blogConfiguration')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=configuration"><?php echo CONFIGURATION; ?></a></li>
-                        <?php } ?>
-                        <?php if ($serendipity['serendipityUserlevel'] >= USERLEVEL_CHIEF) { ?>
+<?php } ?>
+<?php if (serendipity_checkPermission('adminUsers')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=users"><?php echo MANAGE_USERS; ?></a></li>
-                        <?php } ?>
-                        <?php if (!$serendipity['no_create']) { ?>
+<?php } ?>
+<?php if (serendipity_checkPermission('adminUsersGroups')) { ?>
+                        <li><a href="serendipity_admin.php?serendipity[adminModule]=groups"><?php echo MANAGE_GROUPS; ?></a></li>
+<?php } ?>
+<?php if (serendipity_checkPermission('adminImport')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=import"><?php echo IMPORT_ENTRIES; ?></a></li>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=export"><?php echo EXPORT_ENTRIES; ?></a></li>
-                        <?php } ?>
+<?php } ?>
                         <?php serendipity_plugin_api::hook_event('backend_sidebar_admin', $serendipity); ?>
                     </ul>
+<?php } ?>
                     <br />
                     <ul class="serendipitySideBarMenu">
                         <li><a href="<?php echo $serendipity['baseURL']; ?>"><?php echo BACK_TO_BLOG; ?></a></li>
@@ -195,48 +216,100 @@ if (!isset($serendipity['serendipityPath']) || IS_installed === false || IS_up2d
     switch($serendipity['GET']['adminModule']) {
         case 'installer':
         case 'configuration':
+            if (!serendipity_checkPermission('siteConfiguration') && !serendipity_checkPermission('blogConfiguration')) {
+                break;
+            }
+
             include S9Y_INCLUDE_PATH . 'include/admin/configuration.inc.php';
             break;
 
         case 'media':
         case 'images':
+            if (!serendipity_checkPermission('adminImages')) {
+                break;
+            }
+
             include S9Y_INCLUDE_PATH . 'include/admin/images.inc.php';
             break;
 
         case 'templates':
+            if (!serendipity_checkPermission('adminTemplates')) {
+                break;
+            }
+
             include S9Y_INCLUDE_PATH . 'include/admin/templates.inc.php';
             break;
 
         case 'plugins':
+            if (!serendipity_checkPermission('adminPlugins')) {
+                break;
+            }
+
             include S9Y_INCLUDE_PATH . 'include/admin/plugins.inc.php';
             break;
 
         case 'users':
+            if (!serendipity_checkPermission('adminUsers')) {
+                break;
+            }
+
             include S9Y_INCLUDE_PATH . 'include/admin/users.inc.php';
             break;
 
+        case 'groups':
+            if (!serendipity_checkPermission('adminUsersGroups')) {
+                break;
+            }
+
+            include S9Y_INCLUDE_PATH . 'include/admin/groups.inc.php';
+            break;
+
         case 'personal':
+            if (!serendipity_checkPermission('personalConfiguration')) {
+                break;
+            }
+
             include S9Y_INCLUDE_PATH . 'include/admin/personal.inc.php';
             break;
 
         case 'export':
+            if (!serendipity_checkPermission('adminImport')) {
+                break;
+            }
+
             include S9Y_INCLUDE_PATH . 'include/admin/export.inc.php';
             break;
 
         case 'import':
+            if (!serendipity_checkPermission('adminImport')) {
+                break;
+            }
+
             include S9Y_INCLUDE_PATH . 'include/admin/import.inc.php';
             break;
 
         case 'entries':
+            if (!serendipity_checkPermission('adminEntries')) {
+                break;
+            }
+
             include S9Y_INCLUDE_PATH . 'include/admin/entries.inc.php';
             break;
 
         case 'comments':
+            if (!serendipity_checkPermission('adminComments')) {
+                break;
+            }
+
             include S9Y_INCLUDE_PATH . 'include/admin/comments.inc.php';
             break;
 
         case 'category':
         case 'categories':
+            if (!serendipity_checkPermission('adminCategories')) {
+                break;
+            }
+
             include S9Y_INCLUDE_PATH . 'include/admin/category.inc.php';
             break;
 
diff --git a/serendipity_config.inc.php b/serendipity_config.inc.php
index 766d957..9b679e9 100644
--- a/serendipity_config.inc.php
+++ b/serendipity_config.inc.php
@@ -21,7 +21,7 @@ if (IS_installed === true && !defined('IN_serendipity')) {
 include_once(S9Y_INCLUDE_PATH . 'include/compat.inc.php');
 
 // The version string
-$serendipity['version']         = '0.9-alpha2';
+$serendipity['version']         = '0.9-alpha3';
 
 // Name of folder for the default theme
 $serendipity['defaultTemplate'] = 'default';
diff --git a/sql/db.sql b/sql/db.sql
index 85f684f..fa491e4 100644
--- a/sql/db.sql
+++ b/sql/db.sql
@@ -23,6 +23,28 @@ create table {PREFIX}authors (
   right_publish int(1) default '1'
 );
 
+create table {PREFIX}groups (
+  id {AUTOINCREMENT} {PRIMARY},
+  name varchar(64) default null
+);
+
+create table {PREFIX}groupconfig (
+  id int(10) {UNSIGNED} not null default '0',
+  property varchar(64) default null,
+  value varchar(128) default null
+);
+
+CREATE INDEX groupid_idx ON {PREFIX}groupconfig (id);
+CREATE INDEX groupprop_idx ON {PREFIX}groupconfig (id, property);
+
+create table {PREFIX}authorgroups (
+  groupid int(10) {UNSIGNED} not null default '0',
+  authorid int(10) {UNSIGNED} not null default '0'
+);
+
+CREATE INDEX authorgroup_idxA ON {PREFIX}authorgroups (groupid);
+CREATE INDEX authorgroup_idxB ON {PREFIX}authorgroups (authorid);
+
 #
 # table structure for table '{PREFIX}comments'
 #
diff --git a/sql/db_update_0.9-alpha2_0.9-alpha3_mysql.sql b/sql/db_update_0.9-alpha2_0.9-alpha3_mysql.sql
new file mode 100644
index 0000000..7f0bbc4
--- /dev/null
+++ b/sql/db_update_0.9-alpha2_0.9-alpha3_mysql.sql
@@ -0,0 +1,21 @@
+create table {PREFIX}groups (
+  id {AUTOINCREMENT} {PRIMARY},
+  name varchar(64) default null
+);
+
+create table {PREFIX}groupconfig (
+  id int(10) {UNSIGNED} not null default '0',
+  property varchar(64) default null,
+  value varchar(128) default null
+);
+
+CREATE INDEX groupid_idx ON {PREFIX}groupconfig (id);
+CREATE INDEX groupprop_idx ON {PREFIX}groupconfig (id, property);
+
+create table {PREFIX}authorgroups (
+  groupid int(10) {UNSIGNED} not null default '0',
+  authorid int(10) {UNSIGNED} not null default '0'
+);
+
+CREATE INDEX authorgroup_idxA ON {PREFIX}authorgroups (groupid);
+CREATE INDEX authorgroup_idxB ON {PREFIX}authorgroups (authorid);