OGo object permissions are checked using the SkyAccessManager, accessible from the LSCommandContext.

TODO: write much more ...

Enterprise Record

Old-Style Access Check

- (BOOL)isEditDisabled {
  id   myAccount  = [[self session] activeAccount];
  id   accountId  = [myAccount valueForKey:@"companyId"];
  id   obj        = [self object];  
  BOOL isEnabled  = NO;
  BOOL isPrivate  = [[obj valueForKey:@"isPrivate"] boolValue];
  BOOL isReadonly = [[obj valueForKey:@"isReadonly"] boolValue];

  isEnabled = ((!isPrivate && !isReadonly) || 
               ([accountId isEqual:[[obj owner] valueForKey:@"ownerId"]]) ||
               ([[self session] activeAccountIsRoot]));

  return !isEnabled;
}

New-Style Access Check using SkyAccessManager

- (BOOL)isEditDisabled {
  return ![[[self commandContext] accessManager]
                   operation:@"w" allowedOnObjectID:
                   [[self object] valueForKey:@"globalID"]];
}