You write:
My fix for these two problems: add a mapping table that contains information for permission and URL stub. E.g. news would get "news_read" as the required permission and "item?item_id=" as the URL stub. Is that reasonable?
My question:
Would the permissions mapping you are thinking about allow membership scoped results?
So that a user only gets results on objects with
[user] [group] [world]
- read -
if he is a member of the group.