is there a reason that sharing wouldn't entail writing a relationship between an account and a session and then having your app check whether the account has the requisite permission?