Stefan H. Holek wrote:
Note that I found it to be relevant which object I want to acquire (don't ask me why, though).
Because the policy checks the roles on the acquired object? As Dieter points out, 'setDefaultAccess(deny)' should only apply to subobjects which do *not* have their own roles.
E.g. going back to my CMFDefault examples, I *can* acquire portal_workflow and portal_url, but I can *not* acquire portal_membership and acl_users from a denied context. Go figure.
If I change the test below to "app.wanted = PartlyProtectedSimpleItem3()" the test fails on current 2_7-branch ...
But that test fails on 2.7.2, as well. My change was actually to the implementation of 'guarded_getattr', which is not tested in 'testZopeSecurityPolicy' (the location of my original patch); rather, its tests are in 'testZopeGuards' (where my second patch applies). I have not yet bee able to write a good test there yet (one which either passes on the 2.7 head and fails for 2.7.2, or vice versa). Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com