I think this is more or less done, but is blocked by MODPERMS-18. Once that is done, I need to test and see this working as intended, and I can close this one.

Yes, each front-end module that wants to put notes on something must decide on the domain they will be using, and declare that notes.domain.x permission for that domain.

You have a point, notes.domain.all should be defined in the MD for mod-notes.

@Heikki Levanto – is it the intention that each UI module that uses notes define a notes.domain.x permissionSet? And where should the permissionSet notes.domain.all be defined? It doesn't seem to be defined in the module descriptor for mod-notes.

No, we can not use required permissions. The notes module desires the wildcard permission `notes.domain.*`, so mod-auth will return all matching permissions in X-Okapi-Permissions, for example `notes.domain.users,notes.domain.items`. When a user wants to do list notes, we add a clause in the cql specifying that domain must match `users` or `items`. Likewise, when the user wants to post a note with `things` in its domain, mod-notes checks that the user has a permission `notes.domains.things`. Since all the permission checks depend on matching the data against the permission bits, this can not be done in Okapi, or with requiredPermissions.

Btw, since we are using a wildcard (and we already assume that willdcard character is special) why not use required permissions?