Hi, On Thu, Jun 26, 2014 at 4:10 AM, Angela Schreiber <anch...@adobe.com> wrote: > however, please be aware that one key feature of oak (compared to > jackrabbit which only allowed permission evaluation by path) is that > it always needs to be clear if the target for the permission evaluation > is a node or a property. similarly, the restrictions may require the > item being retrieved in order to perform the required evaluation (e.g. > restricting access by node type).
Agreed. Here with the covered index idea we however have a valid use case for considering changes to the internal access control API. Such a change would indeed make it harder to implement some access control features (like type-dependent restrictions), so we'd need to carefully weigh the benefits and drawbacks of such a change before implementing it. For now I tend to agree with you that we shouldn't change anything here, but I've been wrong before so I think it would be a good idea to keep our options open here. BR, Jukka Zitting