when an object has many locations, if a user has the right to delete one of them, he will be able to delete any locations because the policy are checked against the content object and not against the node the user wants to delete.

Steps to reproduce

1. Create folder called Subtree_where_i_can_remove
2. create a policy where the user are allowed to delete any content under Subtree_where_i_can_remove

• user / all functions / No limitations
• content / read / No limitations
• content / remove / Subtree( Subtree_where_i_can_remove ) , Section( Standard )

2. create a user and assign this policy to it
3. create a folder outside Subtree_where_i_can_remove (let's call it folder1)
4. add a location in Subtree_where_i_can_remove to folder1
5. go to the parent of the main location of folder1
6. using the cog wheel menu, it's possible to remove the location of folder1 even if the user only has right to delete something under Subtree_where_i_can_remove