In most security models the statement I am doing something allowable! is orthogonal to the statement I find myself able to do this! While the two pieces of information look similar, they are not and so you find yourself wondering why you are repeating things.

Remember that orthogonality means two things. First that you do not repeat yourself. Secondly that you do not intertwine things that are only accidentally connected to each other.

So your approach is, in my eyes, orthogonal. What I would add to make it more orthogonal is that the hash should not hold an access level, rather have the key be what appears in the URL and the value be the corresponding path in your system. That way you are no longer advertising information about your directory structure, and if you ever changed your directory structure you would be able to avoid breaking old URLs. (Or you could make it work from two different URLs.)

Incidentally note how I said in most security models. At least one model I respect (on theoretical grounds at least) takes the approach that the only way you can try to do things is simultaneously how you validate that you can do it. Conceptually this is like saying that you have no need to validate whether someone can open the file that they are requesting to open because the only way they can name that file is through the directory handle, and the directory handle only shows them files they are allowed to open.

If that is confusing, read the introductory essays there on capabilities (which are NOT to be confused with POSIX "capabilities"). Then re-read it comparing in your mind exactly how an OO system protects its internal data structures...