Hmmm. Hence the problem with properties that meant OFS.Item.SimpleItem had to have __allow_access_to_unprotected_subobjects__=1?
Can you not just assign roles to properties as they're created or am I missing something else?
That's one way to do it - but it will require some thought to make sure we do it right. Having the "=1" assertion is a short-term solution intended to avoid breaking everyone's code for 2.2 while taking a step on the road to changing the default policy. I expect that it will soon make a distinction between properties and attributes that are not properties, which will be the next step on the road. I'd like to see this for 2.3, but I don't promise specific features for particular release numbers anymore :) I do want it to be Soon. My hope is that we'll release a 2.x beta where: o far less things are available via the __allow_... hack o product authors and app builders will have auth problems because they're using attrs formerly covered by the hack o the new security assertion spelling from dev.zope.org will be available and make it much easier for people to go in and protect the problem attrs correctly :) o most if not all of the Zope core will be using the new assertion style, which will help the product authors along with the "guide" to making security assertions that will be a deliverable of that dev.zope.org project o we'll be one more step closer to where we want to be Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com