From fb8e32504f22ccd37a26669b406acc17661b04a8 Mon Sep 17 00:00:00 2001
From: Eike Stepper
Date: Mon, 8 Apr 2013 14:07:26 +0200
Subject: [401172] [Security] Support local permissions on objects
 https://bugs.eclipse.org/bugs/show_bug.cgi?id=401172

---
 .../plugin.properties                              |   1 +
 .../provider/ObjectPermissionItemProvider.java     | 117 +++++++++++++++++++++
 .../security/provider/PermissionItemProvider.java  |   2 +-
 .../META-INF/MANIFEST.MF                           |   3 +-
 .../model/security.ecore                           |   1 +
 .../model/security.ecorediag                       |  24 ++++-
 .../emf/cdo/internal/security/ViewCreator.java     |  22 ++++
 .../emf/cdo/internal/security/ViewUtil.java        |  74 +++++++++++++
 .../eclipse/emf/cdo/security/ObjectPermission.java |  18 ++++
 .../eclipse/emf/cdo/security/SecurityPackage.java  |  67 +++++++++++-
 .../cdo/security/impl/ObjectPermissionImpl.java    |  69 ++++++++++++
 .../emf/cdo/security/impl/SecurityPackageImpl.java |  25 +++++
 .../cdo/security/util/SecurityAdapterFactory.java  |  23 ++++
 .../emf/cdo/security/util/SecuritySwitch.java      | 108 +++++++++++++++++++
 .../.settings/.api_filters                         |  11 ++
 .../server/internal/security/SecurityManager.java  |  66 ++++++++++--
 .../eclipse/emf/cdo/internal/server/Session.java   |   2 +-
 .../eclipse/emf/cdo/server/IPermissionManager.java |  11 ++
 .../cdo/tests/bugzilla/Bugzilla_343084_Test.java   |   9 +-
 19 files changed, 640 insertions(+), 13 deletions(-)
 create mode 100644 plugins/org.eclipse.emf.cdo.security.edit/src/org/eclipse/emf/cdo/security/provider/ObjectPermissionItemProvider.java
 create mode 100644 plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/internal/security/ViewCreator.java
 create mode 100644 plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/internal/security/ViewUtil.java
 create mode 100644 plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/ObjectPermission.java
 create mode 100644 plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/impl/ObjectPermissionImpl.java
 create mode 100644 plugins/org.eclipse.emf.cdo.server.security/.settings/.api_filters

diff --git a/plugins/org.eclipse.emf.cdo.security.edit/plugin.properties b/plugins/org.eclipse.emf.cdo.security.edit/plugin.properties
index e93e757184..3d6a4ee8b0 100644
--- a/plugins/org.eclipse.emf.cdo.security.edit/plugin.properties
+++ b/plugins/org.eclipse.emf.cdo.security.edit/plugin.properties
@@ -90,3 +90,4 @@ _UI_SecurityItemProvider_type = Item Provider
 _UI_Realm_defaultUserDirectory_feature = Default User Directory
 _UI_Realm_defaultGroupDirectory_feature = Default Group Directory
 _UI_Realm_defaultRoleDirectory_feature = Default Role Directory
+_UI_ObjectPermission_type = Object Permission
diff --git a/plugins/org.eclipse.emf.cdo.security.edit/src/org/eclipse/emf/cdo/security/provider/ObjectPermissionItemProvider.java b/plugins/org.eclipse.emf.cdo.security.edit/src/org/eclipse/emf/cdo/security/provider/ObjectPermissionItemProvider.java
new file mode 100644
index 0000000000..340799c0f1
--- /dev/null
+++ b/plugins/org.eclipse.emf.cdo.security.edit/src/org/eclipse/emf/cdo/security/provider/ObjectPermissionItemProvider.java
@@ -0,0 +1,117 @@
+/**
+ */
+package org.eclipse.emf.cdo.security.provider;
+
+import org.eclipse.emf.cdo.security.Access;
+import org.eclipse.emf.cdo.security.ObjectPermission;
+
+import org.eclipse.emf.common.notify.AdapterFactory;
+import org.eclipse.emf.common.notify.Notification;
+import org.eclipse.emf.edit.provider.IEditingDomainItemProvider;
+import org.eclipse.emf.edit.provider.IItemColorProvider;
+import org.eclipse.emf.edit.provider.IItemFontProvider;
+import org.eclipse.emf.edit.provider.IItemLabelProvider;
+import org.eclipse.emf.edit.provider.IItemPropertyDescriptor;
+import org.eclipse.emf.edit.provider.IItemPropertySource;
+import org.eclipse.emf.edit.provider.IStructuredItemContentProvider;
+import org.eclipse.emf.edit.provider.ITableItemColorProvider;
+import org.eclipse.emf.edit.provider.ITableItemFontProvider;
+import org.eclipse.emf.edit.provider.ITableItemLabelProvider;
+import org.eclipse.emf.edit.provider.ITreeItemContentProvider;
+
+import java.util.Collection;
+import java.util.List;
+
+/**
+ * This is the item provider adapter for a {@link org.eclipse.emf.cdo.security.ObjectPermission} object.
+ * <!-- begin-user-doc -->
+ * @since 4.2
+ * <!-- end-user-doc -->
+ * @generated
+ */
+public class ObjectPermissionItemProvider extends PermissionItemProvider implements IEditingDomainItemProvider,
+    IStructuredItemContentProvider, ITreeItemContentProvider, IItemLabelProvider, IItemPropertySource,
+    ITableItemLabelProvider, ITableItemColorProvider, ITableItemFontProvider, IItemColorProvider, IItemFontProvider
+{
+  /**
+   * This constructs an instance from a factory and a notifier.
+   * <!-- begin-user-doc -->
+   * <!-- end-user-doc -->
+   * @generated
+   */
+  public ObjectPermissionItemProvider(AdapterFactory adapterFactory)
+  {
+    super(adapterFactory);
+  }
+
+  /**
+   * This returns the property descriptors for the adapted class.
+   * <!-- begin-user-doc -->
+   * <!-- end-user-doc -->
+   * @generated
+   */
+  @Override
+  public List<IItemPropertyDescriptor> getPropertyDescriptors(Object object)
+  {
+    if (itemPropertyDescriptors == null)
+    {
+      super.getPropertyDescriptors(object);
+
+    }
+    return itemPropertyDescriptors;
+  }
+
+  /**
+   * <!-- begin-user-doc -->
+   * <!-- end-user-doc -->
+   * @generated
+   */
+  @Override
+  protected boolean shouldComposeCreationImage()
+  {
+    return true;
+  }
+
+  /**
+   * This returns the label text for the adapted class.
+   * <!-- begin-user-doc -->
+   * <!-- end-user-doc -->
+   * @generated
+   */
+  @Override
+  public String getText(Object object)
+  {
+    Access labelValue = ((ObjectPermission)object).getAccess();
+    String label = labelValue == null ? null : labelValue.toString();
+    return label == null || label.length() == 0 ? getString("_UI_ObjectPermission_type") : //$NON-NLS-1$
+        getString("_UI_ObjectPermission_type") + " " + label; //$NON-NLS-1$ //$NON-NLS-2$
+  }
+
+  /**
+   * This handles model notifications by calling {@link #updateChildren} to update any cached
+   * children and by creating a viewer notification, which it passes to {@link #fireNotifyChanged}.
+   * <!-- begin-user-doc -->
+   * <!-- end-user-doc -->
+   * @generated
+   */
+  @Override
+  public void notifyChanged(Notification notification)
+  {
+    updateChildren(notification);
+    super.notifyChanged(notification);
+  }
+
+  /**
+   * This adds {@link org.eclipse.emf.edit.command.CommandParameter}s describing the children
+   * that can be created under this object.
+   * <!-- begin-user-doc -->
+   * <!-- end-user-doc -->
+   * @generated
+   */
+  @Override
+  protected void collectNewChildDescriptors(Collection<Object> newChildDescriptors, Object object)
+  {
+    super.collectNewChildDescriptors(newChildDescriptors, object);
+  }
+
+}
diff --git a/plugins/org.eclipse.emf.cdo.security.edit/src/org/eclipse/emf/cdo/security/provider/PermissionItemProvider.java b/plugins/org.eclipse.emf.cdo.security.edit/src/org/eclipse/emf/cdo/security/provider/PermissionItemProvider.java
index 9ce0d8c817..ad93db006b 100644
--- a/plugins/org.eclipse.emf.cdo.security.edit/src/org/eclipse/emf/cdo/security/provider/PermissionItemProvider.java
+++ b/plugins/org.eclipse.emf.cdo.security.edit/src/org/eclipse/emf/cdo/security/provider/PermissionItemProvider.java
@@ -2,8 +2,8 @@
  */
 package org.eclipse.emf.cdo.security.provider;
 
-import org.eclipse.emf.cdo.security.Permission;
 import org.eclipse.emf.cdo.security.Access;
+import org.eclipse.emf.cdo.security.Permission;
 import org.eclipse.emf.cdo.security.SecurityPackage;
 
 import org.eclipse.emf.common.notify.AdapterFactory;
diff --git a/plugins/org.eclipse.emf.cdo.security/META-INF/MANIFEST.MF b/plugins/org.eclipse.emf.cdo.security/META-INF/MANIFEST.MF
index a194192aca..333351c65e 100644
--- a/plugins/org.eclipse.emf.cdo.security/META-INF/MANIFEST.MF
+++ b/plugins/org.eclipse.emf.cdo.security/META-INF/MANIFEST.MF
@@ -7,7 +7,8 @@ Bundle-ClassPath: .
 Bundle-Vendor: %providerName
 Bundle-Localization: plugin
 Bundle-RequiredExecutionEnvironment: J2SE-1.5
-Export-Package: org.eclipse.emf.cdo.security;version="4.2.0",
+Export-Package: org.eclipse.emf.cdo.internal.security;version="4.2.0";x-friends:="org.eclipse.emf.cdo.security.edit,org.eclipse.emf.cdo.security.editor,org.eclipse.emf.cdo.server.security",
+ org.eclipse.emf.cdo.security;version="4.2.0",
  org.eclipse.emf.cdo.security.impl;version="4.2.0",
  org.eclipse.emf.cdo.security.util;version="4.2.0"
 Require-Bundle: org.eclipse.emf.cdo;bundle-version="[4.1.0,5.0.0)";visibility:=reexport
diff --git a/plugins/org.eclipse.emf.cdo.security/model/security.ecore b/plugins/org.eclipse.emf.cdo.security/model/security.ecore
index 5ac20dc9dd..160b49f153 100644
--- a/plugins/org.eclipse.emf.cdo.security/model/security.ecore
+++ b/plugins/org.eclipse.emf.cdo.security/model/security.ecore
@@ -101,6 +101,7 @@
   <eClassifiers xsi:type="ecore:EClass" name="ResourcePermission" eSuperTypes="#//Permission">
     <eStructuralFeatures xsi:type="ecore:EAttribute" name="pattern" eType="ecore:EDataType platform:/plugin/org.eclipse.emf.ecore/model/Ecore.ecore#//EString"/>
   </eClassifiers>
+  <eClassifiers xsi:type="ecore:EClass" name="ObjectPermission" abstract="true" eSuperTypes="#//Permission"/>
   <eClassifiers xsi:type="ecore:EEnum" name="Access">
     <eLiterals name="READ"/>
     <eLiterals name="WRITE" value="1"/>
diff --git a/plugins/org.eclipse.emf.cdo.security/model/security.ecorediag b/plugins/org.eclipse.emf.cdo.security/model/security.ecorediag
index 545ff09bb9..720b352608 100644
--- a/plugins/org.eclipse.emf.cdo.security/model/security.ecorediag
+++ b/plugins/org.eclipse.emf.cdo.security/model/security.ecorediag
@@ -296,6 +296,22 @@
     <element xmi:type="ecore:EClass" href="security.ecore#//ResourcePermission"/>
     <layoutConstraint xmi:type="notation:Bounds" xmi:id="_lcyeYv4cEeGpopUAItL9cQ" x="890" y="377" width="148"/>
   </children>
+  <children xmi:type="notation:Node" xmi:id="_-P7GUaA6EeKe8MpC3pr_IA" type="1001">
+    <children xmi:type="notation:Node" xmi:id="_-P87gKA6EeKe8MpC3pr_IA" type="4001"/>
+    <children xmi:type="notation:Node" xmi:id="_-P9ikKA6EeKe8MpC3pr_IA" type="5001">
+      <styles xmi:type="notation:DrawerStyle" xmi:id="_-P9ikaA6EeKe8MpC3pr_IA"/>
+      <styles xmi:type="notation:SortingStyle" xmi:id="_-P9ikqA6EeKe8MpC3pr_IA"/>
+      <styles xmi:type="notation:FilteringStyle" xmi:id="_-P9ik6A6EeKe8MpC3pr_IA"/>
+    </children>
+    <children xmi:type="notation:Node" xmi:id="_-P9ilKA6EeKe8MpC3pr_IA" type="5002">
+      <styles xmi:type="notation:DrawerStyle" xmi:id="_-P9ilaA6EeKe8MpC3pr_IA"/>
+      <styles xmi:type="notation:SortingStyle" xmi:id="_-P9ilqA6EeKe8MpC3pr_IA"/>
+      <styles xmi:type="notation:FilteringStyle" xmi:id="_-P9il6A6EeKe8MpC3pr_IA"/>
+    </children>
+    <styles xmi:type="notation:ShapeStyle" xmi:id="_-P7GUqA6EeKe8MpC3pr_IA" fontColor="4210752" fontName="Segoe UI" fontHeight="10" fillColor="13761016" lineColor="8421504"/>
+    <element xmi:type="ecore:EClass" href="security.ecore#//ObjectPermission"/>
+    <layoutConstraint xmi:type="notation:Bounds" xmi:id="_-P7GU6A6EeKe8MpC3pr_IA" x="1060" y="377" width="138"/>
+  </children>
   <styles xmi:type="notation:DiagramStyle" xmi:id="_BlsqIawpEeGqBf0LMO47dg"/>
   <element xmi:type="ecore:EPackage" href="security.ecore#/"/>
   <edges xmi:type="notation:Edge" xmi:id="_Bl4QUKwpEeGqBf0LMO47dg" type="3003" source="_BlxioqwpEeGqBf0LMO47dg" target="_BlvtcKwpEeGqBf0LMO47dg">
@@ -540,6 +556,12 @@
     <styles xmi:type="notation:ConnectorStyle" xmi:id="_ldPKUf4cEeGpopUAItL9cQ" routing="Rectilinear" lineColor="4210752"/>
     <styles xmi:type="notation:FontStyle" xmi:id="_ldPKUv4cEeGpopUAItL9cQ" fontName="Segoe UI"/>
     <element xsi:nil="true"/>
-    <bendpoints xmi:type="notation:RelativeBendpoints" xmi:id="_ldPKU_4cEeGpopUAItL9cQ" points="[-2, -24, 153, 108]$[-2, -66, 153, 66]$[-155, -66, 0, 66]$[-155, -107, 0, 25]"/>
+    <bendpoints xmi:type="notation:RelativeBendpoints" xmi:id="_ldPKU_4cEeGpopUAItL9cQ" points="[-2, -20, 153, 108]$[-2, -62, 153, 66]$[-155, -62, 0, 66]$[-155, -103, 0, 25]"/>
+  </edges>
+  <edges xmi:type="notation:Edge" xmi:id="_GfCc0KA7EeKe8MpC3pr_IA" type="3003" source="_-P7GUaA6EeKe8MpC3pr_IA" target="_PWGq0LIPEeGyraMqKGwiUw">
+    <styles xmi:type="notation:ConnectorStyle" xmi:id="_GfCc0aA7EeKe8MpC3pr_IA" routing="Rectilinear" lineColor="4210752"/>
+    <styles xmi:type="notation:FontStyle" xmi:id="_GfCc0qA7EeKe8MpC3pr_IA" fontName="Segoe UI"/>
+    <element xsi:nil="true"/>
+    <bendpoints xmi:type="notation:RelativeBendpoints" xmi:id="_GfCc06A7EeKe8MpC3pr_IA" points="[-1, -20, 319, 108]$[-1, -62, 319, 66]$[-320, -62, 0, 66]$[-320, -103, 0, 25]"/>
   </edges>
 </notation:Diagram>
diff --git a/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/internal/security/ViewCreator.java b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/internal/security/ViewCreator.java
new file mode 100644
index 0000000000..e99513b8d7
--- /dev/null
+++ b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/internal/security/ViewCreator.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2004 - 2012 Eike Stepper (Berlin, Germany) and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ *    Eike Stepper - initial API and implementation
+ */
+package org.eclipse.emf.cdo.internal.security;
+
+import org.eclipse.emf.cdo.common.revision.CDORevisionProvider;
+import org.eclipse.emf.cdo.view.CDOView;
+
+/**
+ * @author Eike Stepper
+ */
+public interface ViewCreator
+{
+  public CDOView createView(CDORevisionProvider revisionProvider);
+}
diff --git a/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/internal/security/ViewUtil.java b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/internal/security/ViewUtil.java
new file mode 100644
index 0000000000..f2468f6c07
--- /dev/null
+++ b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/internal/security/ViewUtil.java
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 2004 - 2012 Eike Stepper (Berlin, Germany) and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ *    Eike Stepper - initial API and implementation
+ */
+package org.eclipse.emf.cdo.internal.security;
+
+import org.eclipse.emf.cdo.common.revision.CDORevisionProvider;
+import org.eclipse.emf.cdo.view.CDOView;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * @author Eike Stepper
+ */
+public final class ViewUtil
+{
+  private static final ThreadLocal<ViewCreator> VIEW_CREATOR = new ThreadLocal<ViewCreator>();
+
+  private static final ThreadLocal<Map<CDORevisionProvider, CDOView>> VIEWS = new ThreadLocal<Map<CDORevisionProvider, CDOView>>();
+
+  private ViewUtil()
+  {
+  }
+
+  private static Map<CDORevisionProvider, CDOView> getViews()
+  {
+    Map<CDORevisionProvider, CDOView> views = VIEWS.get();
+    if (views == null)
+    {
+      views = new HashMap<CDORevisionProvider, CDOView>();
+      VIEWS.set(views);
+    }
+  
+    return views;
+  }
+
+  public static CDOView getView(CDORevisionProvider revisionProvider)
+  {
+    Map<CDORevisionProvider, CDOView> views = getViews();
+  
+    CDOView view = views.get(revisionProvider);
+    if (view == null)
+    {
+      ViewCreator viewCreator = VIEW_CREATOR.get();
+      if (viewCreator == null)
+      {
+        throw new IllegalStateException("No view creator available for " + revisionProvider);
+      }
+  
+      view = viewCreator.createView(revisionProvider);
+      views.put(revisionProvider, view);
+    }
+  
+    return view;
+  }
+
+  public static void initViewCreation(ViewCreator viewCreator)
+  {
+    VIEW_CREATOR.set(viewCreator);
+  }
+
+  public static void doneViewCreation()
+  {
+    VIEW_CREATOR.remove();
+    VIEWS.remove();
+  }
+}
diff --git a/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/ObjectPermission.java b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/ObjectPermission.java
new file mode 100644
index 0000000000..5c98ce2e4b
--- /dev/null
+++ b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/ObjectPermission.java
@@ -0,0 +1,18 @@
+/**
+ */
+package org.eclipse.emf.cdo.security;
+
+/**
+ * <!-- begin-user-doc -->
+ * A representation of the model object '<em><b>Object Permission</b></em>'.
+ * @since 4.2
+ * <!-- end-user-doc -->
+ *
+ *
+ * @see org.eclipse.emf.cdo.security.SecurityPackage#getObjectPermission()
+ * @model abstract="true"
+ * @generated
+ */
+public interface ObjectPermission extends Permission
+{
+} // ObjectPermission
diff --git a/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/SecurityPackage.java b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/SecurityPackage.java
index 4a9338506e..78256cd37c 100644
--- a/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/SecurityPackage.java
+++ b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/SecurityPackage.java
@@ -861,6 +861,47 @@ public interface SecurityPackage extends EPackage
    */
   int RESOURCE_PERMISSION_FEATURE_COUNT = PERMISSION_FEATURE_COUNT + 1;
 
+  /**
+   * The meta object id for the '{@link org.eclipse.emf.cdo.security.impl.ObjectPermissionImpl <em>Object Permission</em>}' class.
+   * <!-- begin-user-doc -->
+   * @since 4.2
+   * <!-- end-user-doc -->
+   * @see org.eclipse.emf.cdo.security.impl.ObjectPermissionImpl
+   * @see org.eclipse.emf.cdo.security.impl.SecurityPackageImpl#getObjectPermission()
+   * @generated
+   */
+  int OBJECT_PERMISSION = 13;
+
+  /**
+   * The feature id for the '<em><b>Role</b></em>' container reference.
+   * <!-- begin-user-doc -->
+   * @since 4.2
+   * <!-- end-user-doc -->
+   * @generated
+   * @ordered
+   */
+  int OBJECT_PERMISSION__ROLE = PERMISSION__ROLE;
+
+  /**
+   * The feature id for the '<em><b>Access</b></em>' attribute.
+   * <!-- begin-user-doc -->
+   * @since 4.2
+   * <!-- end-user-doc -->
+   * @generated
+   * @ordered
+   */
+  int OBJECT_PERMISSION__ACCESS = PERMISSION__ACCESS;
+
+  /**
+   * The number of structural features of the '<em>Object Permission</em>' class.
+   * <!-- begin-user-doc -->
+   * @since 4.2
+   * <!-- end-user-doc -->
+   * @generated
+   * @ordered
+   */
+  int OBJECT_PERMISSION_FEATURE_COUNT = PERMISSION_FEATURE_COUNT + 0;
+
   /**
    * The meta object id for the '{@link org.eclipse.emf.cdo.security.Access <em>Access</em>}' enum.
    * <!-- begin-user-doc -->
@@ -870,7 +911,7 @@ public interface SecurityPackage extends EPackage
    * @see org.eclipse.emf.cdo.security.impl.SecurityPackageImpl#getAccess()
    * @generated
    */
-  int ACCESS = 13;
+  int ACCESS = 14;
 
   /**
    * The meta object id for the '<em>Access Object</em>' data type.
@@ -881,7 +922,7 @@ public interface SecurityPackage extends EPackage
    * @see org.eclipse.emf.cdo.security.impl.SecurityPackageImpl#getAccessObject()
    * @generated
    */
-  int ACCESS_OBJECT = 14;
+  int ACCESS_OBJECT = 15;
 
   /**
    * Returns the meta object for class '{@link org.eclipse.emf.cdo.security.SecurityElement <em>Element</em>}'.
@@ -1478,6 +1519,17 @@ public interface SecurityPackage extends EPackage
    */
   EAttribute getResourcePermission_Pattern();
 
+  /**
+   * Returns the meta object for class '{@link org.eclipse.emf.cdo.security.ObjectPermission <em>Object Permission</em>}'.
+   * <!-- begin-user-doc -->
+   * @since 4.2
+   * <!-- end-user-doc -->
+   * @return the meta object for class '<em>Object Permission</em>'.
+   * @see org.eclipse.emf.cdo.security.ObjectPermission
+   * @generated
+   */
+  EClass getObjectPermission();
+
   /**
    * Returns the meta object for enum '{@link org.eclipse.emf.cdo.security.Access <em>Access</em>}'.
    * <!-- begin-user-doc -->
@@ -1994,6 +2046,17 @@ public interface SecurityPackage extends EPackage
      */
     EAttribute RESOURCE_PERMISSION__PATTERN = eINSTANCE.getResourcePermission_Pattern();
 
+    /**
+     * The meta object literal for the '{@link org.eclipse.emf.cdo.security.impl.ObjectPermissionImpl <em>Object Permission</em>}' class.
+     * <!-- begin-user-doc -->
+     * @since 4.2
+     * <!-- end-user-doc -->
+     * @see org.eclipse.emf.cdo.security.impl.ObjectPermissionImpl
+     * @see org.eclipse.emf.cdo.security.impl.SecurityPackageImpl#getObjectPermission()
+     * @generated
+     */
+    EClass OBJECT_PERMISSION = eINSTANCE.getObjectPermission();
+
     /**
      * The meta object literal for the '{@link org.eclipse.emf.cdo.security.Access <em>Access</em>}' enum.
      * <!-- begin-user-doc -->
diff --git a/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/impl/ObjectPermissionImpl.java b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/impl/ObjectPermissionImpl.java
new file mode 100644
index 0000000000..5d47fa637e
--- /dev/null
+++ b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/impl/ObjectPermissionImpl.java
@@ -0,0 +1,69 @@
+/**
+ */
+package org.eclipse.emf.cdo.security.impl;
+
+import org.eclipse.emf.cdo.CDOObject;
+import org.eclipse.emf.cdo.common.branch.CDOBranchPoint;
+import org.eclipse.emf.cdo.common.id.CDOID;
+import org.eclipse.emf.cdo.common.revision.CDORevision;
+import org.eclipse.emf.cdo.common.revision.CDORevisionProvider;
+import org.eclipse.emf.cdo.internal.security.ViewUtil;
+import org.eclipse.emf.cdo.security.ObjectPermission;
+import org.eclipse.emf.cdo.security.SecurityPackage;
+import org.eclipse.emf.cdo.view.CDOView;
+
+import org.eclipse.emf.ecore.EClass;
+
+/**
+ * <!-- begin-user-doc -->
+ * An implementation of the model object '<em><b>Object Permission</b></em>'.
+ * @since 4.2
+ * <!-- end-user-doc -->
+ * <p>
+ * </p>
+ *
+ * @generated
+ */
+public abstract class ObjectPermissionImpl extends PermissionImpl implements ObjectPermission
+{
+  /**
+   * <!-- begin-user-doc -->
+   * <!-- end-user-doc -->
+   * @generated
+   */
+  protected ObjectPermissionImpl()
+  {
+    super();
+  }
+
+  /**
+   * <!-- begin-user-doc -->
+   * <!-- end-user-doc -->
+   * @generated
+   */
+  @Override
+  protected EClass eStaticClass()
+  {
+    return SecurityPackage.Literals.OBJECT_PERMISSION;
+  }
+
+  protected CDOView getView(CDORevisionProvider revisionProvider)
+  {
+    return ViewUtil.getView(revisionProvider);
+  }
+
+  /**
+   * @ADDED
+   */
+  public boolean isApplicable(CDORevision revision, CDORevisionProvider revisionProvider, CDOBranchPoint securityContext)
+  {
+    CDOView view = getView(revisionProvider);
+    CDOID id = revision.getID();
+
+    CDOObject object = view.getObject(id);
+    return isApplicable(object, securityContext);
+  }
+
+  protected abstract boolean isApplicable(CDOObject object, CDOBranchPoint securityContext);
+
+} // ObjectPermissionImpl
diff --git a/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/impl/SecurityPackageImpl.java b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/impl/SecurityPackageImpl.java
index 0d87da97e2..9b5abf88cf 100644
--- a/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/impl/SecurityPackageImpl.java
+++ b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/impl/SecurityPackageImpl.java
@@ -16,6 +16,7 @@ import org.eclipse.emf.cdo.security.Assignee;
 import org.eclipse.emf.cdo.security.ClassPermission;
 import org.eclipse.emf.cdo.security.Directory;
 import org.eclipse.emf.cdo.security.Group;
+import org.eclipse.emf.cdo.security.ObjectPermission;
 import org.eclipse.emf.cdo.security.PackagePermission;
 import org.eclipse.emf.cdo.security.Permission;
 import org.eclipse.emf.cdo.security.Realm;
@@ -136,6 +137,13 @@ public class SecurityPackageImpl extends EPackageImpl implements SecurityPackage
    */
   private EClass resourcePermissionEClass = null;
 
+  /**
+   * <!-- begin-user-doc -->
+   * <!-- end-user-doc -->
+   * @generated
+   */
+  private EClass objectPermissionEClass = null;
+
   /**
    * <!-- begin-user-doc -->
    * <!-- end-user-doc -->
@@ -772,6 +780,17 @@ public class SecurityPackageImpl extends EPackageImpl implements SecurityPackage
     return (EAttribute)resourcePermissionEClass.getEStructuralFeatures().get(0);
   }
 
+  /**
+   * <!-- begin-user-doc -->
+   * @since 4.2
+   * <!-- end-user-doc -->
+   * @generated
+   */
+  public EClass getObjectPermission()
+  {
+    return objectPermissionEClass;
+  }
+
   /**
    * <!-- begin-user-doc -->
    * <!-- end-user-doc -->
@@ -893,6 +912,8 @@ public class SecurityPackageImpl extends EPackageImpl implements SecurityPackage
     resourcePermissionEClass = createEClass(RESOURCE_PERMISSION);
     createEAttribute(resourcePermissionEClass, RESOURCE_PERMISSION__PATTERN);
 
+    objectPermissionEClass = createEClass(OBJECT_PERMISSION);
+
     // Create enums
     accessEEnum = createEEnum(ACCESS);
 
@@ -947,6 +968,7 @@ public class SecurityPackageImpl extends EPackageImpl implements SecurityPackage
     classPermissionEClass.getESuperTypes().add(getPermission());
     packagePermissionEClass.getESuperTypes().add(getPermission());
     resourcePermissionEClass.getESuperTypes().add(getPermission());
+    objectPermissionEClass.getESuperTypes().add(getPermission());
 
     // Initialize classes and features; add operations and parameters
     initEClass(securityElementEClass, SecurityElement.class,
@@ -1179,6 +1201,9 @@ public class SecurityPackageImpl extends EPackageImpl implements SecurityPackage
         theEcorePackage.getEString(),
         "pattern", null, 0, 1, ResourcePermission.class, !IS_TRANSIENT, !IS_VOLATILE, IS_CHANGEABLE, !IS_UNSETTABLE, !IS_ID, IS_UNIQUE, !IS_DERIVED, IS_ORDERED); //$NON-NLS-1$
 
+    initEClass(objectPermissionEClass, ObjectPermission.class,
+        "ObjectPermission", IS_ABSTRACT, !IS_INTERFACE, IS_GENERATED_INSTANCE_CLASS); //$NON-NLS-1$
+
     // Initialize enums and add enum literals
     initEEnum(accessEEnum, Access.class, "Access"); //$NON-NLS-1$
     addEEnumLiteral(accessEEnum, Access.READ);
diff --git a/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/util/SecurityAdapterFactory.java b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/util/SecurityAdapterFactory.java
index cc40afb786..7211f1d403 100644
--- a/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/util/SecurityAdapterFactory.java
+++ b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/util/SecurityAdapterFactory.java
@@ -15,6 +15,7 @@ import org.eclipse.emf.cdo.security.Assignee;
 import org.eclipse.emf.cdo.security.ClassPermission;
 import org.eclipse.emf.cdo.security.Directory;
 import org.eclipse.emf.cdo.security.Group;
+import org.eclipse.emf.cdo.security.ObjectPermission;
 import org.eclipse.emf.cdo.security.PackagePermission;
 import org.eclipse.emf.cdo.security.Permission;
 import org.eclipse.emf.cdo.security.Realm;
@@ -173,6 +174,12 @@ public class SecurityAdapterFactory extends AdapterFactoryImpl
       return createResourcePermissionAdapter();
     }
 
+    @Override
+    public Adapter caseObjectPermission(ObjectPermission object)
+    {
+      return createObjectPermissionAdapter();
+    }
+
     @Override
     public Adapter caseModelElement(ModelElement object)
     {
@@ -395,6 +402,22 @@ public class SecurityAdapterFactory extends AdapterFactoryImpl
     return null;
   }
 
+  /**
+   * Creates a new adapter for an object of class '{@link org.eclipse.emf.cdo.security.ObjectPermission <em>Object Permission</em>}'.
+   * <!-- begin-user-doc -->
+   * This default implementation returns null so that we can easily ignore cases;
+   * it's useful to ignore a case when inheritance will catch all the cases anyway.
+   * @since 4.2
+   * <!-- end-user-doc -->
+   * @return the new adapter.
+   * @see org.eclipse.emf.cdo.security.ObjectPermission
+   * @generated
+   */
+  public Adapter createObjectPermissionAdapter()
+  {
+    return null;
+  }
+
   /**
    * Creates a new adapter for an object of class '{@link org.eclipse.emf.cdo.etypes.ModelElement <em>Model Element</em>}'.
    * <!-- begin-user-doc -->
diff --git a/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/util/SecuritySwitch.java b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/util/SecuritySwitch.java
index bb490c8f7f..4d7150dfeb 100644
--- a/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/util/SecuritySwitch.java
+++ b/plugins/org.eclipse.emf.cdo.security/src/org/eclipse/emf/cdo/security/util/SecuritySwitch.java
@@ -15,6 +15,7 @@ import org.eclipse.emf.cdo.security.Assignee;
 import org.eclipse.emf.cdo.security.ClassPermission;
 import org.eclipse.emf.cdo.security.Directory;
 import org.eclipse.emf.cdo.security.Group;
+import org.eclipse.emf.cdo.security.ObjectPermission;
 import org.eclipse.emf.cdo.security.PackagePermission;
 import org.eclipse.emf.cdo.security.Permission;
 import org.eclipse.emf.cdo.security.Realm;
@@ -118,9 +119,13 @@ public class SecuritySwitch<T>
       SecurityElement securityElement = (SecurityElement)theEObject;
       T result = caseSecurityElement(securityElement);
       if (result == null)
+      {
         result = caseModelElement(securityElement);
+      }
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
       return result;
     }
     case SecurityPackage.SECURITY_ITEM:
@@ -128,11 +133,17 @@ public class SecuritySwitch<T>
       SecurityItem securityItem = (SecurityItem)theEObject;
       T result = caseSecurityItem(securityItem);
       if (result == null)
+      {
         result = caseSecurityElement(securityItem);
+      }
       if (result == null)
+      {
         result = caseModelElement(securityItem);
+      }
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
       return result;
     }
     case SecurityPackage.REALM:
@@ -140,11 +151,17 @@ public class SecuritySwitch<T>
       Realm realm = (Realm)theEObject;
       T result = caseRealm(realm);
       if (result == null)
+      {
         result = caseSecurityElement(realm);
+      }
       if (result == null)
+      {
         result = caseModelElement(realm);
+      }
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
       return result;
     }
     case SecurityPackage.DIRECTORY:
@@ -152,13 +169,21 @@ public class SecuritySwitch<T>
       Directory directory = (Directory)theEObject;
       T result = caseDirectory(directory);
       if (result == null)
+      {
         result = caseSecurityItem(directory);
+      }
       if (result == null)
+      {
         result = caseSecurityElement(directory);
+      }
       if (result == null)
+      {
         result = caseModelElement(directory);
+      }
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
       return result;
     }
     case SecurityPackage.ROLE:
@@ -166,13 +191,21 @@ public class SecuritySwitch<T>
       Role role = (Role)theEObject;
       T result = caseRole(role);
       if (result == null)
+      {
         result = caseSecurityItem(role);
+      }
       if (result == null)
+      {
         result = caseSecurityElement(role);
+      }
       if (result == null)
+      {
         result = caseModelElement(role);
+      }
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
       return result;
     }
     case SecurityPackage.ASSIGNEE:
@@ -180,13 +213,21 @@ public class SecuritySwitch<T>
       Assignee assignee = (Assignee)theEObject;
       T result = caseAssignee(assignee);
       if (result == null)
+      {
         result = caseSecurityItem(assignee);
+      }
       if (result == null)
+      {
         result = caseSecurityElement(assignee);
+      }
       if (result == null)
+      {
         result = caseModelElement(assignee);
+      }
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
       return result;
     }
     case SecurityPackage.GROUP:
@@ -194,15 +235,25 @@ public class SecuritySwitch<T>
       Group group = (Group)theEObject;
       T result = caseGroup(group);
       if (result == null)
+      {
         result = caseAssignee(group);
+      }
       if (result == null)
+      {
         result = caseSecurityItem(group);
+      }
       if (result == null)
+      {
         result = caseSecurityElement(group);
+      }
       if (result == null)
+      {
         result = caseModelElement(group);
+      }
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
       return result;
     }
     case SecurityPackage.USER:
@@ -210,15 +261,25 @@ public class SecuritySwitch<T>
       User user = (User)theEObject;
       T result = caseUser(user);
       if (result == null)
+      {
         result = caseAssignee(user);
+      }
       if (result == null)
+      {
         result = caseSecurityItem(user);
+      }
       if (result == null)
+      {
         result = caseSecurityElement(user);
+      }
       if (result == null)
+      {
         result = caseModelElement(user);
+      }
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
       return result;
     }
     case SecurityPackage.USER_PASSWORD:
@@ -226,7 +287,9 @@ public class SecuritySwitch<T>
       UserPassword userPassword = (UserPassword)theEObject;
       T result = caseUserPassword(userPassword);
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
       return result;
     }
     case SecurityPackage.PERMISSION:
@@ -234,7 +297,9 @@ public class SecuritySwitch<T>
       Permission permission = (Permission)theEObject;
       T result = casePermission(permission);
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
       return result;
     }
     case SecurityPackage.CLASS_PERMISSION:
@@ -242,9 +307,13 @@ public class SecuritySwitch<T>
       ClassPermission classPermission = (ClassPermission)theEObject;
       T result = caseClassPermission(classPermission);
       if (result == null)
+      {
         result = casePermission(classPermission);
+      }
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
       return result;
     }
     case SecurityPackage.PACKAGE_PERMISSION:
@@ -252,9 +321,13 @@ public class SecuritySwitch<T>
       PackagePermission packagePermission = (PackagePermission)theEObject;
       T result = casePackagePermission(packagePermission);
       if (result == null)
+      {
         result = casePermission(packagePermission);
+      }
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
       return result;
     }
     case SecurityPackage.RESOURCE_PERMISSION:
@@ -262,9 +335,27 @@ public class SecuritySwitch<T>
       ResourcePermission resourcePermission = (ResourcePermission)theEObject;
       T result = caseResourcePermission(resourcePermission);
       if (result == null)
+      {
         result = casePermission(resourcePermission);
+      }
       if (result == null)
+      {
         result = defaultCase(theEObject);
+      }
+      return result;
+    }
+    case SecurityPackage.OBJECT_PERMISSION:
+    {
+      ObjectPermission objectPermission = (ObjectPermission)theEObject;
+      T result = caseObjectPermission(objectPermission);
+      if (result == null)
+      {
+        result = casePermission(objectPermission);
+      }
+      if (result == null)
+      {
+        result = defaultCase(theEObject);
+      }
       return result;
     }
     default:
@@ -480,6 +571,23 @@ public class SecuritySwitch<T>
     return null;
   }
 
+  /**
+   * Returns the result of interpreting the object as an instance of '<em>Object Permission</em>'.
+   * <!-- begin-user-doc -->
+   * This implementation returns null;
+   * returning a non-null result will terminate the switch.
+   * @since 4.2
+   * <!-- end-user-doc -->
+   * @param object the target of the switch.
+   * @return the result of interpreting the object as an instance of '<em>Object Permission</em>'.
+   * @see #doSwitch(org.eclipse.emf.ecore.EObject) doSwitch(EObject)
+   * @generated
+   */
+  public T caseObjectPermission(ObjectPermission object)
+  {
+    return null;
+  }
+
   /**
    * Returns the result of interpreting the object as an instance of '<em>Model Element</em>'.
    * <!-- begin-user-doc -->
diff --git a/plugins/org.eclipse.emf.cdo.server.security/.settings/.api_filters b/plugins/org.eclipse.emf.cdo.server.security/.settings/.api_filters
new file mode 100644
index 0000000000..56e0dd3b62
--- /dev/null
+++ b/plugins/org.eclipse.emf.cdo.server.security/.settings/.api_filters
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<component id="org.eclipse.emf.cdo.server.security" version="2">
+    <resource path="src/org/eclipse/emf/cdo/server/internal/security/SecurityManager.java" type="org.eclipse.emf.cdo.server.internal.security.SecurityManager$PermissionManager">
+        <filter id="574619656">
+            <message_arguments>
+                <message_argument value="IPermissionManager"/>
+                <message_argument value="PermissionManager"/>
+            </message_arguments>
+        </filter>
+    </resource>
+</component>
diff --git a/plugins/org.eclipse.emf.cdo.server.security/src/org/eclipse/emf/cdo/server/internal/security/SecurityManager.java b/plugins/org.eclipse.emf.cdo.server.security/src/org/eclipse/emf/cdo/server/internal/security/SecurityManager.java
index 980a7ccabd..419f6d851b 100644
--- a/plugins/org.eclipse.emf.cdo.server.security/src/org/eclipse/emf/cdo/server/internal/security/SecurityManager.java
+++ b/plugins/org.eclipse.emf.cdo.server.security/src/org/eclipse/emf/cdo/server/internal/security/SecurityManager.java
@@ -18,6 +18,8 @@ import org.eclipse.emf.cdo.common.revision.CDORevisionProvider;
 import org.eclipse.emf.cdo.common.security.CDOPermission;
 import org.eclipse.emf.cdo.eresource.CDOResource;
 import org.eclipse.emf.cdo.eresource.EresourcePackage;
+import org.eclipse.emf.cdo.internal.security.ViewCreator;
+import org.eclipse.emf.cdo.internal.security.ViewUtil;
 import org.eclipse.emf.cdo.net4j.CDONet4jSession;
 import org.eclipse.emf.cdo.net4j.CDONet4jSessionConfiguration;
 import org.eclipse.emf.cdo.net4j.CDONet4jUtil;
@@ -32,8 +34,10 @@ import org.eclipse.emf.cdo.security.SecurityFactory;
 import org.eclipse.emf.cdo.security.SecurityPackage;
 import org.eclipse.emf.cdo.security.User;
 import org.eclipse.emf.cdo.security.UserPassword;
+import org.eclipse.emf.cdo.server.CDOServerUtil;
 import org.eclipse.emf.cdo.server.IPermissionManager;
 import org.eclipse.emf.cdo.server.IRepository;
+import org.eclipse.emf.cdo.server.ISession;
 import org.eclipse.emf.cdo.server.IStoreAccessor.CommitContext;
 import org.eclipse.emf.cdo.server.ITransaction;
 import org.eclipse.emf.cdo.server.internal.security.bundle.OM;
@@ -535,7 +539,7 @@ public class SecurityManager extends Lifecycle implements InternalSecurityManage
   }
 
   protected CDOPermission getPermission(CDORevision revision, CDORevisionProvider revisionProvider,
-      CDOBranchPoint securityContext, User user)
+      CDOBranchPoint securityContext, ISession session, User user)
   {
     CDOPermission result = convertPermission(user.getDefaultAccess());
     if (result == CDOPermission.WRITE)
@@ -615,6 +619,19 @@ public class SecurityManager extends Lifecycle implements InternalSecurityManage
    */
   private final class PermissionManager implements IPermissionManager
   {
+    public CDOPermission getPermission(CDORevision revision, CDOBranchPoint securityContext, ISession session)
+    {
+      String userID = session.getUserID();
+      if (SYSTEM_USER_ID.equals(userID))
+      {
+        // TODO Should we also check for access to the /security resource (the realm)?
+        return CDOPermission.WRITE;
+      }
+
+      return doGetPermission(revision, securityContext, session, userID);
+    }
+
+    @Deprecated
     public CDOPermission getPermission(CDORevision revision, CDOBranchPoint securityContext, String userID)
     {
       if (SYSTEM_USER_ID.equals(userID))
@@ -623,12 +640,33 @@ public class SecurityManager extends Lifecycle implements InternalSecurityManage
         return CDOPermission.WRITE;
       }
 
+      return doGetPermission(revision, securityContext, null, userID);
+    }
+
+    private CDOPermission doGetPermission(CDORevision revision, final CDOBranchPoint securityContext,
+        final ISession session, String userID)
+    {
       User user = getUser(userID);
 
       InternalCDORevisionManager revisionManager = repository.getRevisionManager();
       CDORevisionProvider revisionProvider = new ManagedRevisionProvider(revisionManager, securityContext);
 
-      return SecurityManager.this.getPermission(revision, revisionProvider, securityContext, user);
+      ViewUtil.initViewCreation(new ViewCreator()
+      {
+        public CDOView createView(CDORevisionProvider revisionProvider)
+        {
+          return CDOServerUtil.openView(session, securityContext, revisionProvider);
+        }
+      });
+
+      try
+      {
+        return SecurityManager.this.getPermission(revision, revisionProvider, securityContext, session, user);
+      }
+      finally
+      {
+        ViewUtil.doneViewCreation();
+      }
     }
   }
 
@@ -637,7 +675,7 @@ public class SecurityManager extends Lifecycle implements InternalSecurityManage
    */
   private final class WriteAccessHandler implements IRepository.WriteAccessHandler
   {
-    public void handleTransactionBeforeCommitting(ITransaction transaction, CommitContext commitContext,
+    public void handleTransactionBeforeCommitting(ITransaction transaction, final CommitContext commitContext,
         OMMonitor monitor) throws RuntimeException
     {
       if (transaction.getSessionID() == session.getSessionID())
@@ -651,16 +689,32 @@ public class SecurityManager extends Lifecycle implements InternalSecurityManage
 
       handleCommit(commitContext, user);
 
-      permissionRevisionsBeforeCommitting(commitContext, securityContext, user, commitContext.getNewObjects());
-      permissionRevisionsBeforeCommitting(commitContext, securityContext, user, commitContext.getDirtyObjects());
+      ViewUtil.initViewCreation(new ViewCreator()
+      {
+        public CDOView createView(CDORevisionProvider revisionProvider)
+        {
+          return CDOServerUtil.openView(commitContext);
+        }
+      });
+
+      try
+      {
+        permissionRevisionsBeforeCommitting(commitContext, securityContext, user, commitContext.getNewObjects());
+        permissionRevisionsBeforeCommitting(commitContext, securityContext, user, commitContext.getDirtyObjects());
+      }
+      finally
+      {
+        ViewUtil.doneViewCreation();
+      }
     }
 
     private void permissionRevisionsBeforeCommitting(CommitContext commitContext, CDOBranchPoint securityContext,
         User user, InternalCDORevision[] revisions)
     {
+      ISession session = commitContext.getTransaction().getSession();
       for (InternalCDORevision revision : revisions)
       {
-        CDOPermission permission = getPermission(revision, commitContext, securityContext, user);
+        CDOPermission permission = getPermission(revision, commitContext, securityContext, session, user);
         if (permission != CDOPermission.WRITE)
         {
           throw new SecurityException("User " + user + " is not allowed to write to " + revision);
diff --git a/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/internal/server/Session.java b/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/internal/server/Session.java
index 42eaeb98b1..bdc502deac 100644
--- a/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/internal/server/Session.java
+++ b/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/internal/server/Session.java
@@ -361,7 +361,7 @@ public class Session extends Container<IView> implements InternalSession
     IPermissionManager permissionManager = manager.getPermissionManager();
     if (permissionManager != null)
     {
-      return permissionManager.getPermission(revision, securityContext, userID);
+      return permissionManager.getPermission(revision, securityContext, this);
     }
 
     return CDORevision.PERMISSION_PROVIDER.getPermission(revision, securityContext);
diff --git a/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/server/IPermissionManager.java b/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/server/IPermissionManager.java
index 7ef3e8f8b6..7a91cf80ce 100644
--- a/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/server/IPermissionManager.java
+++ b/plugins/org.eclipse.emf.cdo.server/src/org/eclipse/emf/cdo/server/IPermissionManager.java
@@ -19,8 +19,19 @@ import org.eclipse.emf.cdo.common.security.CDOPermission;
  *
  * @author Eike Stepper
  * @since 4.1
+ * @noextend This interface is not intended to be extended by clients.
+ * @noimplement This interface is not intended to be implemented by clients.
  */
 public interface IPermissionManager
 {
+  /**
+   * @deprecated As of 4.2 call {@link #getPermission(CDORevision, CDOBranchPoint, ISession)}.
+   */
+  @Deprecated
   public CDOPermission getPermission(CDORevision revision, CDOBranchPoint securityContext, String userID);
+
+  /**
+   * @since 4.2
+   */
+  public CDOPermission getPermission(CDORevision revision, CDOBranchPoint securityContext, ISession session);
 }
diff --git a/plugins/org.eclipse.emf.cdo.tests/src/org/eclipse/emf/cdo/tests/bugzilla/Bugzilla_343084_Test.java b/plugins/org.eclipse.emf.cdo.tests/src/org/eclipse/emf/cdo/tests/bugzilla/Bugzilla_343084_Test.java
index b3b01e9fca..519993a950 100644
--- a/plugins/org.eclipse.emf.cdo.tests/src/org/eclipse/emf/cdo/tests/bugzilla/Bugzilla_343084_Test.java
+++ b/plugins/org.eclipse.emf.cdo.tests/src/org/eclipse/emf/cdo/tests/bugzilla/Bugzilla_343084_Test.java
@@ -16,6 +16,7 @@ import org.eclipse.emf.cdo.common.security.CDOPermission;
 import org.eclipse.emf.cdo.common.security.NoPermissionException;
 import org.eclipse.emf.cdo.eresource.CDOResource;
 import org.eclipse.emf.cdo.server.IPermissionManager;
+import org.eclipse.emf.cdo.server.ISession;
 import org.eclipse.emf.cdo.session.CDOSession;
 import org.eclipse.emf.cdo.tests.AbstractCDOTest;
 import org.eclipse.emf.cdo.tests.config.impl.ConfigTest.CleanRepositoriesAfter;
@@ -60,7 +61,7 @@ public class Bugzilla_343084_Test extends AbstractCDOTest
 
     IPermissionManager permissionManager = new IPermissionManager()
     {
-      public CDOPermission getPermission(CDORevision revision, CDOBranchPoint securityContext, String userID)
+      public CDOPermission getPermission(CDORevision revision, CDOBranchPoint securityContext, ISession session)
       {
         EClass eClass = revision.getEClass();
         CDOPermission permission = permissions.get(eClass);
@@ -71,6 +72,12 @@ public class Bugzilla_343084_Test extends AbstractCDOTest
 
         return CDOPermission.WRITE;
       }
+
+      @Deprecated
+      public CDOPermission getPermission(CDORevision revision, CDOBranchPoint securityContext, String userID)
+      {
+        throw new UnsupportedOperationException();
+      }
     };
 
     getTestProperties().put(RepositoryConfig.PROP_TEST_AUTHENTICATOR, userManager);
-- 
cgit v1.2.1