Update: Ok, there was an even simpler way to do this -- see ../RelativeGroups
I want to be able to have some ACLs -- quite specific ones that can't be done with just before/default/after settings -- apply to certain pages, without actually showing up in the page markup when a user edits it. For example, instead of hitting "Edit" and seeing:
#acl user239:read,write #acl user7454:read,write #acl user935:read,write #acl user3590:read,write #acl user13568:read,write #acl user9563:read,write #acl user4280:read,write #acl user2756:read,write #acl user349:read,write ... page content ...
they would just see:
... page content ...
.. but, the permissions would be the same. In the latter case, the ACLs would be stored in <pagename>/AllowedUsers, or something like that.
So there will be just one setting added to Moin config:
acl_subpage_name - the name of the subpage to use, i.e. "AllowedUsers" or "PageMembers" or whatever.
The contents of this subpage would be the ACLs themselves, in normal format. There could be other stuff in the subpage as well, but it would just be ignored for our purposes -- and since only admins can modify ACLs, non-admins couldn't sabotage anything. The subpage's ACLs would naturally apply to the subpage itself, but the patched Moin will also apply them to their parent. If the subpage has no ACLs, then it just proceeds normally as you would expect.
This is sort of the inverse of HierachicalAccessControlList -- it's completely optional for each page, and the parent inherits from one specific child. It's basically just meant for having ACLs apply to a page without burdening users with wading through the ACL list when they edit the page.