I'm trying to upgrade from 3.0.5 to 3.1.1, and ran into trouble with accesscontrollist's hasPermission attribute. It previously accepted integer bitmasks, or string values consisting of single permission names or a comma-delimited list of permission names. After upgrading, it now only accepts single permission names. Is this expected? It appears the change to AccessControlListTag.java after the change for this ticket removed the call that resolves the hasPermission attribute to a collection of Permission objects. I tried to view that ticket (#1798), but Jira returned a permission-denied response, so I'm posting a comment here.
I examined the 3.1.1 code, and can't find any potential execution path that would allow the hasPermission attribute value to be parsed into a collection of Permission objects without providing my own PermissionEvaluator instance. The current combination of AccessControlListTag and AclPermissionEvaluator only interprets the value as single permission name.
If I want to allow single permission names, comma-delimited lists of permission names, and integer bitmasks, is a custom implementation of PermissionEvaluator the appropriate and intended solution?