[Zope-dev] RFClarification: Security on Product Attributes

[Phillip J. Eby]

At 12:27 PM 10/4/00 -0400, Brian Lloyd wrote:
>
>I've verified (any of my previous comments to the contrary) that 
>simple attributes (python types) do not really play in the 
>permissions machinery. The canonical way to expose such things 
>for now is to expose them through method calls (which can play 
>in the permissions scheme). 
>

IIRC, this stuff got broken by the switch to the new security machinery.
ZopeSecurityPolicy doesn't check 'foo__roles__' on the parent object the
way ZPublisher does/did.