Here are more details about Derick's question,
When you use the button for bulk actions, the script is:
server/file-storage/www/delete.tcl
and the code which determines if the user has proper permissions is the following sql (oracle's is similar):
select fs.object_id as fs_object_id, fs.type, fs.name, fs.parent_id,
acs_permission__permission_p(fs.object_id, :user_id, 'write') as delete_p
from fs_objects fs
where fs.object_id in ('$object_id_list')
On the other hand, if you go through the file properties page and delete a file, the requested script is
server/file-storage/www/file-delete.tcl
and the corresponding checking code is
ad_require_permission $file_id delete
Additionally, the following comment appears in the move.tcl and delete.tcl file
# DaveB: I think it should be DELETE instead of WRITEs:
