RavenDB Authorization Bundle proper user of SecureFor -

i attempting use ravendb's authorization bundle limit results of query (on workitems) permissions have been explicitly set on workitem documents.

for example:

i have user bob@bob.com userid of /users/1 , workitem has following permissions set in meta-data:

"raven-document-authorization": {     "tags": [],     "permissions": [       {         "operation": "/operations/workitem/search",         "user": "users/1",         "role": null,         "allow": true,         "priority": 1       }     ]   } 

i expect following code limit query (from bob's perspective) 1 workitem, because has permission to.

using (var session = documentstore.opensession()) {     session.securefor("raven/authorization/users/1", "/operations/workitem/search");      var workitemsquery = wi in session.query<workitem>()                      select wi;      var debts = workitemsquery.tolist();      // work items } 

i based code on following example ravendb's documentation (context & user section): http://ravendb.net/docs/2.5/server/extending/bundles/authorization-bundle-design

what getting instead workitems have no explicit permissions set. puzzling me because if run following code:

using (var session = mdocumentstore.opensession())     {        var answer = session.advanced.isoperationallowedondocument(userid, operation, securableid);        var allowed = answer.isallowed;     } 

allowed true.

one additional item of note, attempting ignore or not use authorization bundle's concept of role , wonder if having unintended effect.

it possible misunderstanding example, shed light on subject me? in advance.

also, wondered if issue encountering related stackoverflow question: ravendb: raven query not returning correct count document authorization, issue seems count , not actual results.

just tiddy question, provide answer causing problem. issue related use of "raven/authorization/users/1" syntax. when changed search command use, "users/1" worked correctly.