Opencast's authorization service has two different methods of evaluating
XACML (access control) attachments with should work similarly but do
work differently resulting in unwanted denial of access in some cases.
In the end both path should work the same way and could even share most
of the code making the whole process less confusing and easier to