My understanding from a bug report I submitted, getAllowedRecords is depreciated, but that function is used in both the Helpdesk and Companies modules to get a list of companies that the user is allowed access to (and many other places too of course, but that's just an example).

So, what is the new method to be used to get a list of records (items) that a user is allowed access to?

Also, the security model of phpgacl is that everybody is denied access and then access is allowed from there. But, I'm getting the idea that dotProject's model is that everything is allowed and then deny policies are applied. Is this correct? Or am I mistaken?

dotproject's module is access denied unless otherwise stated, but with roles you can overwrite this behaviour :)

you should use
$q->addWhere($modules_class->getAllowedSQL());

to limit access as a replacement to getAllowedRecords - look in modules/tasks/tasks.php for examples how to use it.

dotproject's module is access denied unless otherwise stated, but with roles you can overwrite this behaviour :)
No, no... I dont want to do that. I prefer default-deny

I'll try out getAllowedSQL and see what I can come up with.

Thanks!