diff --git a/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java b/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
index cede735d4b..44b8ad2507 100644
--- a/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
+++ b/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
@@ -36,6 +36,8 @@ import net.sf.acegisecurity.ConfigAttributeDefinition;
 import net.sf.acegisecurity.afterinvocation.AfterInvocationProvider;
 
 import org.alfresco.cmis.CMISResultSet;
+import org.alfresco.error.AlfrescoRuntimeException;
+import org.alfresco.query.PagingResults;
 import org.alfresco.query.PermissionedResults;
 import org.alfresco.repo.blog.BlogPostInfo;
 import org.alfresco.repo.search.SimpleResultSetMetaData;
@@ -255,19 +257,47 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
             }
             else if (StoreRef.class.isAssignableFrom(returnedObject.getClass()))
             {
+                if (log.isDebugEnabled())
+                {
+                    log.debug("Store access");
+                }
                 return decide(authentication, object, config, nodeService.getRootNode((StoreRef) returnedObject)).getStoreRef();
             }
             else if (NodeRef.class.isAssignableFrom(returnedObject.getClass()))
             {
+                if (log.isDebugEnabled())
+                {
+                    log.debug("Node access");
+                }
                 return decide(authentication, object, config, (NodeRef) returnedObject);
             }
             else if (FileInfo.class.isAssignableFrom(returnedObject.getClass()))
             {
                 return decide(authentication, object, config, (FileInfo) returnedObject);
             }
-            else if (PermissionedResults.class.isAssignableFrom(returnedObject.getClass()))
+            else if (PagingResults.class.isAssignableFrom(returnedObject.getClass()))
             {
-                return decide(authentication, object, config, (PermissionedResults) returnedObject);
+                if (PermissionedResults.class.isAssignableFrom(returnedObject.getClass()) &&
+                    (! ((PermissionedResults)returnedObject).permissionsApplied()))
+                {
+                    throw new AlfrescoRuntimeException("Not implemented");
+                    /*
+                    if (log.isDebugEnabled())
+                    {
+                        log.debug("Paging Results access");
+                    }
+                    return decide(authentication, object, config, ((PagingResults<?>) returnedObject);
+                    */
+                }
+                else
+                {
+                    if (log.isDebugEnabled())
+                    {
+                        log.debug("Paging Results access - already checked permissions for " + object.getClass().getName());
+                    }
+                    
+                    return returnedObject;
+                }
             }
             else if (Pair.class.isAssignableFrom(returnedObject.getClass()))
             {
@@ -456,17 +486,7 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
         // the noderef was allowed
         return returnedObject;
     }
-    
-    private PermissionedResults decide(Authentication authentication, Object object, ConfigAttributeDefinition config, PermissionedResults returnedObject) throws AccessDeniedException
-    {
-        if (!returnedObject.permissionsApplied())
-        {
-            throw new UnsupportedOperationException("PermissionedResults must have permissionsApplied() == true.");
-        }
-        // This passes
-        return returnedObject;
-    }
-    
+
     @SuppressWarnings("rawtypes")
     private Pair decide(Authentication authentication, Object object, ConfigAttributeDefinition config, Pair returnedObject) throws AccessDeniedException
     {
@@ -476,7 +496,6 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
         return returnedObject;
     }
 
-    @SuppressWarnings("rawtypes")
     private List<ConfigAttributeDefintion> extractSupportedDefinitions(ConfigAttributeDefinition config)
     {
         List<ConfigAttributeDefintion> definitions = new ArrayList<ConfigAttributeDefintion>();
@@ -847,7 +866,6 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
         return new QueryEngineResults(answer);
     }
 
-    @SuppressWarnings("rawtypes")
     private Collection decide(Authentication authentication, Object object, ConfigAttributeDefinition config, Collection returnedObject) throws AccessDeniedException
     {
         if (returnedObject == null)
@@ -1027,10 +1045,15 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
 
     @SuppressWarnings("rawtypes")
     private Object[] decide(Authentication authentication, Object object, ConfigAttributeDefinition config, Object[] returnedObject) throws AccessDeniedException
+
     {
-        // Assumption: value is not null
         BitSet incudedSet = new BitSet(returnedObject.length);
 
+        if (returnedObject == null)
+        {
+            return null;
+        }
+
         List<ConfigAttributeDefintion> supportedDefinitions = extractSupportedDefinitions(config);
 
         if (supportedDefinitions.size() == 0)
@@ -1145,7 +1168,6 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
         }
     }
 
-    @SuppressWarnings("rawtypes")
     public boolean supports(Class clazz)
     {
         return (MethodInvocation.class.isAssignableFrom(clazz));