1. It is not essential, but is necessary to add QA_USER_LEVEL_APPROVED to $permitoptions of p2c_layer.php.
2. I feel if plugin use Q2A API functions for permission feature, plugin will be more better.
qa-app-admin.php::qa_admin_permit_options()
qa-app-users.php::qa_user_permit_error() / qa_permit_error() / qa_permit_value_error()
maxjtechno will have much information about the real use issue than me.