Main goal for writing an org.modeshape.jcr.security.AuthorizationProvider is to control security access of JCR operation via hasPermission() method.

Current API:

public boolean hasPermission(ExecutionContext context, String repositoryName, String repositorySourceName,
String workspaceName, Path path, String... actions)

has a Path object, but sometimes path can be relative without any access to its absolute path, for example using addNode(<relative_path>).

This creates a limitation and it's not possible to design an ACL service for modeshape using this API, due we need to know the absolute path and context of the node that a user is trying to create to check if user hasPermission to create it under a specific path.

Also, this issue comes due we don't have an ACL service, so a user needs to create a custom AuthorizationProvider to implement these features on ModeShape.