Extend SessionImpl.hasCapability to cover access control write operations

for building access control related UIs there is currently no way to determine if ac mgt operations on a given node would fail because that node is owned by a read-only immutable mount.

for other methods rombert expanded Session.hasCapability to take mounts into account. i would suggest that we extend the API method to also cover setPolicy and removePolicy operations called on the AccessControlManager. this would allow to determine if altering access control content is possible or prevented (either by lack of permission or due to a readonly mount).