It appears invocation of SecurityPolicy.checkPermission() is normally bypassed for Administrators whereas SecurityPolicy.QueryTransformer.transform() is invoked for Administrators. As a result of this discrepancy, when Administrators invoke a CMIS getChildren() operation on a specific folder for example, they might see different results than when they browse the folder via the Nuxeo DM Web UI. The CMIS operation relies on the Session.getChildren() method which calls Session.checkPermission() which bypasses the SecurityPolicy for Administrators. Folder navigation via the Nuxeo DM Web UI relies upon SecurityPolicy.QueryTransformer.transform() which is applied for Administrators.
I would like to control how my SecurityPolicy applies to Administrators, specifically the behavior of the SecurityPolicy.checkPermission. The implementation of AbstractSession.checkPermission() appears to prevent me from doing so. Thoughts?
