I checked in a bunch of code updates to support use of phpGACL in various places. There’s more to be done, but this is a big step in the right direction. Hopefully I have not added any bugs, but it’s possible.
Note that phpGACL is not required, and by default is not used. It’s also possible to implement fine-grained access control without using phpGACL at all; for that you’d add custom code to library/acl.inc.