[Zope-dev] Methods with no __roles__ defined no always protected?

[Chris Withers]

Toby Dickenson wrote:
> Firstly, I assume your management page is a dtml file on disk, not a
> dtml object stored in the ZODB. dtml files bypass *all* security
> checks.

That's nice :(

> Secondly, all objects that inherit from OFS.Item.SimpleItem (that is,
> almost all high level objects) have the
> __allow_access_to_unprotected_subobjects__ flag set. Your method would
> be callable from through-the-web dtml too.

Even though it now has a permission attached to it?

cheers,

Chris