from the top of my head:
every node stores a list of child node entries (i.e. name/id pairs). the
child node entries are filtered at runtime while iterating over child nodes,
i.e. the id's are passed to the AccessManager to check the permissions
*before* the child node is loaded. at least that's how it used to be.
currently that is removed, for i wanted to avoid the duplicate
permission check as it used to happen (first upon building the
id-iterator within ItemManager#getChild... and later on again
upon accessing the Item).
however, if this causes problems we may add the permission check again
within ItemManager#getChildNodes and ItemManager#getChildProperties.
regards
angela
