I created an issue to fix the initial problem encountered by Mike [1]. The issue was that an explicit application scoped gate was needed to deny update access even if the access was denied by a provider scoped gate. That problem was captured in a test [2].
WDYT? Marius [1] https://issues.apache.org/jira/browse/SLING-3458 [2] https://github.com/apache/sling/blob/trunk/bundles/resourceaccesssecurity/it/src/test/java/org/apache/sling/resourceaccesssecurity/it/SecuredProviderResourceAccessSecurityTest.java#L103
