Subtrees aren't deeply visited for access control/callbacks on delete #93
Description
Only the deleted node is visited - we made the assumption (intentionally) that having permissions to delete a parent implies necessarily having permissions to delete its wholly owned children, even if the permission is not explicitly stated.
However, it's no longer valid to make this assumption in the case of generalized viewmodel callbacks: an on-change hook on a node should still have a chance to have its side effects even if the node was deleted recursively via its parent.
So, we're going to have to revisit subtree deletion. The implementation of this should take into account #8