[gatein-dev] Permission in Application Registry

I created https://jira.jboss.org/jira/browse/GTNPORTAL-1137 but it seems like it might be somewhat working depending on what it actually means. What is the permission setting in application registry suppose to do actually do? Is it suppose to prevent a user from accessing the content or to prevent a user from adding that type of portlet to a page? Each portlet or gadget can specify a 'access permission', but this doesn't seem to prevent users from viewing the application. What it does seem to do is if an unauthorized user tries to add this portlet to a page, they can add the portlet, they just can't view the added portlet on the page. This doesn't seem like expected behaviour either.