[Zope-CMF] trivial new portal folder type gives weird workflow/security behavior?

[chris]

Hullo all,

just for fun I wrote (yet another) ordered folder type (which you're all 
very welcome to), in so doing I came across this strange and easily 
reproducible behavior: a trivial new portal folder types magically seem 
to become 'publishable', this subsequently seems to mess up the workflow 
and security for its contained items. Is this a bug? Or, am I just 
confused? (think I may know the answer to this last one already ;-)

The following creates a trivial new Portal Folder type and demonstrates 
the proposed problem:

1) create a new cmf-1.3 site: SERVER.COM / PORTAL

2) in its portal_types, add a new factory-base-type-information with 
id=FOO based on 'CMF:Core Portal Folder'

3) create a new 'FOO' with id=BAR, i.e SERVER.COM / PORTAL / BAR

4) goto the 'folder contents' of BAR, notice that it has a 'publish' 
action - which wouldn't be there for a normal Portal Folder.

5) create some documents X and Y inside BAR

6) visit X and publish it.

7) now check what's visible to the outside world; despite being 
'published', a request to SERVER.COM / PORTAL / BAR / X yields a 
'login_form'. Surely this isn't right?

...but it gets worse...

8) visit our folder-like object BAR and publish it (ignoring the error 
that's produced)

9) check again what the outside world can see; SERVER.COM / PORTAL / BAR 
/ X is now visible, which is good. But a request to the still 'private' 
SERVER.COM / PORTAL / BAR / Y is also granted. Surely this isn't right 
either?

Okay, demo over. So the question is: why don't trivial Portal Folder 
derivatives behave nicely like real Portal Folders do? Is this a problem 
with the FTI mechanism? Or have I _really_ misunderstood something? All 
comments gratefully received!

Best regards,
Chris.