* It is my understanding (after long analysis of the source) that what I'm doing with self._security is okay. I mean, it seems to me I should be able to redeclare my permission settings at run-time. Is this correct, or am I missing something? Acquisition is still rough to me.
This has little to do with acquisition. I have no idea what "declareStaticPermissions(self._security)" does. ClassSecurityInfo applies to classes. You're trying to apply it to an object -- the 'self' argument of your method. I would not expect this to work properly. If it works at all, I'd expect it to re-apply security directives to the class (that is, to all of your objects), not the one object you want to apply this to. When do you need this web services stuff to work? All of this is very much easier in Zope 3. You can customise the permissions for individual objects, and create persistent classes. Of course, Zope 3 isn't ready for general use yet... -- Steve Alexander