1) IMO yes, but: it’s not a leaky abstraction as such, precisely because it’s in a tag. Tags exist to abstract implementation details from the view. It’s also arguable that doing the access lookup in the action makes the action responsible for something that’s relevant only to the view layer.

Another issue with encapsulating the data access in the tag itself is that if there are many uses of the tag on the page there may be more data access than necessary, slowing response time. A clever tag could mitigate this by caching values, or caching may be implemented at a deeper level.

2) A tag like that should be acting against the current user object, which should have encapsulated the user’s rights already (probably on login). That said, it may not be sufficient to use cached values to determine access rights if those rights may change during a user’s session.

3) I don’t know; without knowing more details IMO that’s impossible to answer.

4) Depends. Doing the same thing multiple ways can lead maintenance nightmares.

If there’s an effort to re-structure the application according to best practices, then yes, new development should follow better patterns. If there isn’t, IMO it’s more confusing to introduce multiple ways of doing the same thing, and makes it more difficult for those who follow because they then need to decide which way to do something, determine if there’s a functional difference between the different ways, and so on.