It would be useful if the restricted operations could be selected in the file access control rulesets. For example optionally disable writing, creating, deleting, sharing etc. when ruleset matches.
That way you could make tagged files read-only for specific groups for example. (I know, there are other solutions for that, but I like the flexibility of tagging)
As I saw in the CacheWrapper.php, currently all access to files are masked out. Is there any technical reason to not handle these rights separately? If more than one ruleset matches the file, the outmasked operations should “added” together. So all the rulesets should be checked that way.
Other idea: files should not be listed if there are neither read nor write access to it. Is it technically possible? I would make this check as a last step in generating the file list.
I just started learning the API, that’s why I ask before I try to implement anything…