For example, using the ZPT stuff, if you put here/title as an output variable (similar to <dtml-var title>), you get the same unauthorized traceback as stated below. This means that the object doesn't have access to it's own properties, surely not!
This *might* be a bug in ZPT... If I were you, I might try asking a question about this on the ZPT list... or maybe someone who knows lots about ZPT will stumble upon it here.
I'm not saying that there is a security hole in Zope, quite the opposite. Access is being denied to things that the current user should have access to. This has meant that I'm having to loosen security on some of my 'bits' to allow the user to see things correctly. This only started happening with 2.3.x (and maybe some of the betas). Zope 2.2.x did not to seem to have this problem.
If there's places in Zope where it's broken, we'd like to know... thanks! - C