I tried to "extend" the CMS api with my own commands, but it turns out that the authorization interceptor does only work with the built in commands. The class names etc. are hardcoded there and in ACLEnforcer.
Why even bother with the commands if users can't write their own? Or couldn't there be some interface that is used in the ACL-classes so that the specific class names wouldn't need to be known (like getPath() for getting the path instead of casting the commands to the concrete classes).

And another thing.
The GetFolderListCommand needs the READ permission but the contents (ie. the actual folder list for the parent folder passed as parameter) need the WRITE/MANAGE permission for the child nodes. Apparently this is also hardcoded in the acl-classes because the list command is used in the cms admin tool which of course only shows nodes that the user has WRITE permission to...
Is there a way to get the list so that the READ permission would be sufficient to get a folder and a list of its child folders?

And one more. Is there a plan to upgrade the jackrabbit version to a more current one? There are some nice features in the newer versions (hit highlighting for example).