consider the following ACL setup:
now: hasPermission(/tesroot/a/b/c, jcr:removeNode) == false but the user is still able to delete the node.
- if we change the order of the ACEs with the restriction, it works (i.e. the user can't delete)
- if we use direct ACLs on the respective nodes, it works
I think this is a bug...but I'm not sure if hasPermission is wrong, or the check during node deletion.