We'd like to know if a user can add or update nodes (so we can control what is displayed in e.g. the UI). I thought Session#checkPermission would work well enough (and, for things controlled by an ACL, I suppose it does). When running with a read-only external source, though, this check succeeds:

session.checkPermission("/read/only/path", "add_node")

Should #checkPermission have some knowledge about read-only projections, or is there a different API we should use instead?