we've considered the idea of an aggregate permission and then returning which path(s) are valid