Hi Sandor Thanks for the reply.
AFAIK restrictedTraverse(path) checks roles on every step of the path. It uses the __role__ attribute of the object.
Yup, that's the problem. Here's what I ended up doing:: result = [] for p in self.Catalog({'meta_type': meta_type, prop_name: value}): obj = p.getObject() permission = obj.__ac_permissions__[0][0] if self.REQUEST.AUTHENTICATED_USER.has_permission(permission, obj): result.append(obj) That 'obj.__ac_permissions__[0][0]' looks dog-ugly to me. I'm sure there must be a better way.
You may want to have a look at the declareObject* methods: http://zope.org/Documentation/Books/ZDG/current/Security.stx#3-45
My objects are already protected: security.declareObjectProtected('View Customer') but this only helps when the user is browsing to the object through the web, or when I use 'restrictedTraverse' or another security- checker explicitly, as above. The 'obj.__ac_permissions__[0][0]' lookup returns the permission specified by the 'declareObjectProtected' call on the class. -- Jean Jordaan http://www.upfrontsystems.co.za /training <-- Zope/Plone training!