...
An attempt to remove a node will trigger a call with the remove action on the subject node and call with the remove_child_nodes action on the parent node. Both must return true for the operation to proceed. If your PEP needs to enforce deletes in a cascading fashion, as when using access roles, then the "remove" action must include the permissions check of remove on descendant nodes. (See AbstractRoleBasedPEP for an example)
Roles-Aware PEPs
There is a convenience abstract class for those implementing policy enforcement points that need to be aware of access roles. If you subclass this AbstractRolesBasedPEP class, then your implementation can be reduced to a single method.