Index: trunk/kernel/include/portalgroup.php
===================================================================
diff -u -r3983 -r4243
--- trunk/kernel/include/portalgroup.php	(.../portalgroup.php)	(revision 3983)
+++ trunk/kernel/include/portalgroup.php	(.../portalgroup.php)	(revision 4243)
@@ -45,38 +45,38 @@
     }
 
 	/* set $Value to -1 to delete the permission row from the DB */
-	function SetSystemPermission($PermName,$Value)
+	function SetSystemPermission($PermName, $Value)
 	{
-      //echo "Setting $PermName to $Value<br>\n";
-	  $oldval = $this->HasSystemPermission($PermName);
-	  if($Value != $oldval)
-	  {
-        if($Value>-1)
-	    {
-          if($oldval>-1)
-		  {
-		    $sql = "UPDATE ".GetTablePrefix()."Permissions SET PermissionValue=$Value ";
-			$sql .="  WHERE Type=1 AND Permission='$PermName' AND GroupId=".$this->Get("GroupId");
-			
-			//echo "UPDATE SQL: $sql<br>";
-		  }
-		  else
-		  {
-		    $sql = "INSERT INTO ".GetTablePrefix()."Permissions (Permission, GroupId, PermissionValue, Type, CatId) ";
-			$sql .="VALUES ('$PermName',".$this->Get("GroupId").",$Value,1,0)";
-			//echo "INSERT SQL: $sql<br>";
-          }
-		  $this->adodbConnection->Execute($sql);
-          //echo $sql."<br>\n";
-	    }
-		else
-		{
-		  $sql = "DELETE FROM ".GetTablePrefix()."Permissions ";
-          $sql .="  WHERE Type=1 AND Permission='$PermName' AND GroupId=".$this->Get("GroupId");
-          //echo "DELETE SQL: $sql<br>";
-		  $this->adodbConnection->Execute($sql);
+		// don't save DENY system permissions
+
+		//echo "Setting $PermName to $Value<br>\n";
+		$old_value = $this->HasSystemPermission($PermName);
+		if ($Value == $old_value) {
+			return true;
 		}
-	  }
+		
+		if ($Value == 1) {
+			// new value is ALLOWED
+			if ($old_value > -1) {
+				// old value is ALLOWED/DENIED
+				$sql = 'UPDATE '.GetTablePrefix().'Permissions
+						SET PermissionValue = '.$Value.'
+						WHERE Type = 1 AND Permission = '.$this->adodbConnection->qstr($PermName).' AND GroupId = '.$this->Get('GroupId');
+			}
+			else {
+				// permission was inherited before => no record in db
+				$sql = 'INSERT INTO '.GetTablePrefix().'Permissions (Permission, GroupId, PermissionValue, Type, CatId) ';
+				$sql .= 'VALUES ('.$this->adodbConnection->qstr($PermName).','.$this->Get('GroupId').','.$Value.',1,0)';
+			}
+			$this->adodbConnection->Execute($sql);
+		}
+		else {
+			// permission becomes inherited now or set to DENIED
+			$sql = 'DELETE FROM '.GetTablePrefix().'Permissions
+					WHERE Type = 1 AND Permission = '.$this->adodbConnection->qstr($PermName).' AND GroupId = '.$this->Get('GroupId');
+			$this->adodbConnection->Execute($sql);
+		}
+		
 	}
 
     function CheckPermission($permissionName)