[Zope-CMF] sequrity questions writing unit tests

[robert]

Hello,

I am writing unit tests for an plone based intranet.

My question: why can user kurt delete the folder "xyz" which was created 
by hans and set to state private?

 def testAddDocument(self):
    """ test AddDocument """
    userfolder = self.portal.acl_users
    userfolder.userFolderAddUser('hans', 'hans', [], [])
    hans = userfolder.getUser('hans').__of__(userfolder)
    userfolder._changeUser('hans', 'secret', 'secret', ['Manager'], ())
    userfolder.userFolderAddUser('kurt', 'kurt', [], [])
    kurt = userfolder.getUser('kurt').__of__(userfolder)
    newSecurityManager(None, hans)
    self.portal.invokeFactory('Folder', 'xyz')
    self.portal.portal_workflow.doActionFor(self.portal.xyz, "hide", 
comment='')
    noSecurityManager()
    newSecurityManager(None, kurt)

    self.portal.manage_delObjects(ids='xyz')

why does that last line not generate an error???

thanks for your tips

Robert