ACL ownership insufficient to CHANGE_AUDITING

[n12c]

If we create a new ACL, set ourselves as the owner, create the first ACE assigning some permission to some SID, and try to change the auditing flags on the ACE, the request fails in AclAuthorizationStrategyImpl#securityCheck:

spring-security/acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java

Lines 100 to 105 in f30cc9c

	// Check if authorized by virtue of ACL ownership
	Sid currentUser = createCurrentUser(authentication);
	if (currentUser.equals(acl.getOwner())
	&& ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
	return;
	}

Apparently ownership is enough to give away ownership to another SID or to add, update, and delete ACEs, but it is not enough to update the auditing flags on existing ACEs.

To work around this we must make our first ACE one which gives the administration permission to the owner; securityCheck will then accept our attempts to update the auditing flags on subsequent ACEs.

Is this intentional? If so, why? If not, can securityCheck be changed so that ACL ownership is good enough for auditing changes too?