Casey Duncan wrote at 2004-6-18 09:58 -0400:
... Security was tightened for getObject recently as part of a general refactor of that code. I am happy to consider whether the security is too tight, in which case it could be backed off a bit.
I think, you should only require access rights to the object itself and not to all folders from the root to the object. It is not uncommon that upper levels are more restricted than subhierarchies. This is what Zope's URL traversal allows: Only the object identified by URL traversal is accessed checked. That ZCatalog identifies objects by physical path is an implementation artifact. It should not make it impossible to access an object via the catalog that otherwise can be accessed without problem.
... For hysterical raisins, REQUEST.traverse() does not behave this way. It instead checks only the final object traversed. That's a good behaviour...
-- Dieter