Zope 2.3, from cvs on 2000-12-24, patched with Chris P's latest ZCatalog stuff. I'm getting a bad interaction between ZClasses, ZCatalog and __bobo_traverse__. I have some ZClasses that are accessed via a container that implements __bobo_traverse__. The problem is that, although I can get to the ZClass instances by typing a URL into by browser, I get a security error when I try to get to them using restrictedTraverse. This causes a problem, as it means these instances cannot be catalogued in a ZCatalog, because ZCatalog now uses restrictedTraverse to get an object for indexing. The zope security validation gets stuck between not knowing for sure what the object's container is (according to comments from Traversable.py), and ZClasses not returning anything for __roles__. ZPatterns jargon paragraph: All this causes a problem if you want to use the ZPatterns idiom of ZClass DataSkins in a Specialist, catalogued using a ZCatalog. You can get around it by providing a __roles__ attribute using SkinScript. Is there some bug in the ZClasses __roles__ machinery? When does __roles__ get set on objects or classes anyway? I've found the description of what __roles__ are used for in the old Trinkets tutorial document. I think things have moved on a bit since then, though. Some relevant code snippets: Traversable.py t=get(object, '__bobo_traverse__', N) if t is not N: o=t(REQUEST, name) # Note we pass no container, because we have no # way of knowing what it is if (restricted and not securityManager.validate( object, None, name, o)): raise 'Unauthorized', name ZopeSecurityPolicy.py, line 123: # Try to get roles roles=getattr(value, '__roles__', _noroles) if roles is _noroles: ############################################################ # We have an object without roles. Presumabely, it's # some simple object, like a string or a list. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net