Comment 1 for bug 786904

Ok so i completely screwed these up when i implemented them based on my interpretations of what the ServiceImpl should be doing;

What each checkPermissions should look like:

/**
 * Gets the Role of the current user, and the View they should see of the object passed to it
 * @param object the object to get the permissions for
 * @param pm the PersistenceManager
 * @return the Role of the current user and the ClientView it should see
private RoleAndView checkPermissions(ModelClass object, PersistenceManager pm) {
   //The currently logged in user
   UserData curUser = UserGetter.getCurrentUser(pm);
   /*TODO: look up the user that the object belongs to through the heirachy of relationships
    * For example suppose object is of type Game:
    * DevTeamData dtd = DevTeamGetter.getDevTeam(object.getDevTeamKey());
    * ClientView cv = ClientView.PUBLIC; //assume by default
    * for (Key k : dtd.getUsers()) {
    * if (k.getID() == curUser.getPrimaryKey() {
    * cv = ClientView.PRIVATE; //CurUser is part of the devteam the object belongs to
    * }
    * }
    */

   return new RoleAndView(curUser.getRole(), cv, curUser);
}

Then you pass the ClientView and Role from the returned RoleAndView to the ModelWrapper.getClient/DataClone calls which will construct/store the object based on the role and view recieved.
This should be in _EVERY_ ServerSideImpl that accesses/writes to the datastore.

Hope this helps.