diff --git a/src/main/java/org/caosdb/server/database/backend/transaction/RetrieveFullEntityTransaction.java b/src/main/java/org/caosdb/server/database/backend/transaction/RetrieveFullEntityTransaction.java
index f5b897ad93738e32633faf7b7ddf06378ece58e0..a45a86a15c4f1ce72482c57f1a30d5a70f2a6624 100644
--- a/src/main/java/org/caosdb/server/database/backend/transaction/RetrieveFullEntityTransaction.java
+++ b/src/main/java/org/caosdb/server/database/backend/transaction/RetrieveFullEntityTransaction.java
@@ -31,6 +31,7 @@ import org.caosdb.server.database.BackendTransaction;
 import org.caosdb.server.database.exceptions.EntityDoesNotExistException;
 import org.caosdb.server.datatype.CollectionValue;
 import org.caosdb.server.datatype.IndexedSingleValue;
+import org.caosdb.server.accessControl.Principal;
 import org.caosdb.server.datatype.ReferenceValue;
 import org.caosdb.server.entity.EntityID;
 import org.caosdb.server.entity.EntityInterface;
@@ -60,6 +61,7 @@ import org.caosdb.server.utils.EntityStatus;
 public class RetrieveFullEntityTransaction extends BackendTransaction {
 
   private final Container<? extends EntityInterface> container;
+  private final Principal principal;
 
   public RetrieveFullEntityTransaction(final EntityInterface entity) {
     final Container<EntityInterface> c = new Container<>();
@@ -67,8 +69,9 @@ public class RetrieveFullEntityTransaction extends BackendTransaction {
     this.container = c;
   }
 
-  public RetrieveFullEntityTransaction(final Container<? extends EntityInterface> container) {
+  public RetrieveFullEntityTransaction(final Container<? extends EntityInterface> container, final Principal principal) {
     this.container = container;
+    this.principal = principal;
   }
 
   public RetrieveFullEntityTransaction(final EntityID id) {
@@ -226,7 +229,7 @@ public class RetrieveFullEntityTransaction extends BackendTransaction {
 
     // check whether the referenced entity may be retrieved
     final EntityACL entityACL = ref.getEntityACL();
-    if (!entityACL.isPermitted(SecurityUtils.getSubject(), EntityPermission.RETRIEVE_ENTITY)) {
+    if (!entityACL.isPermitted(this.principal, EntityPermission.RETRIEVE_ENTITY)) {
       return;
     }
     // recursion! (Only for the matching selections)
diff --git a/src/main/java/org/caosdb/server/entity/RetrieveEntity.java b/src/main/java/org/caosdb/server/entity/RetrieveEntity.java
index 00a120fbf023024eae8acc5788a9260d020a956d..887e7d126b4b6da3983a276e3f40eb226e2b2b92 100644
--- a/src/main/java/org/caosdb/server/entity/RetrieveEntity.java
+++ b/src/main/java/org/caosdb/server/entity/RetrieveEntity.java
@@ -24,6 +24,8 @@
  */
 package org.caosdb.server.entity;
 
+//TODO document the use of this class; it seems to exist of only constructors
+
 public class RetrieveEntity extends Entity {
 
   public RetrieveEntity() {
diff --git a/src/main/java/org/caosdb/server/query/Query.java b/src/main/java/org/caosdb/server/query/Query.java
index 117176ec5c6a1fcb10e588b860926b02eb76a2a9..29361d3a5f09ffc53cae52b3a767f31a1816c0c2 100644
--- a/src/main/java/org/caosdb/server/query/Query.java
+++ b/src/main/java/org/caosdb/server/query/Query.java
@@ -77,6 +77,10 @@ import org.caosdb.server.transaction.WriteTransaction;
 import org.jdom2.Element;
 import org.slf4j.Logger;
 
+
+// TODO Document: The query is initialized with a RetrieveTransaction and its
+// Container. The container is filled by the Query with the resulting IDs. The
+// Retrieve transaction then handles the retrieve of all respective Entities.
 public class Query implements QueryInterface, ToElementable, EntityTransactionInterface {
 
   /** Class which represents the selection of (sub)properties. */