[Zope-dev] Security Machinery doesn't work on some objects?

[Chris Withers]

Hi there,

I'm slightly confused by a class I have:

class X(Persistent, Acquisition.Explicit):

This class has no __roles__, no __ac_permissions__, no nothing...
Instances of this class are stored within a special folderish class, Y.

This folderish class has a __bobo_traverse__ which returns X objects,
wrapped in context, from it's self._xs BTree using something along the
lines of:

    def __bobo_traverse__(self, REQUEST, name):
        ob = getattr(self, name, _marker)
	if ob == _marker:
		ob = 
        return self._xs[name].__of__(self)

Now, it appears no methods or other attributes of this class are
protected by the security machinery, even though the instances involved
are wrapped. The DocString stuff still applies but, once a method has a
docstring, any anonymous user who can traverse to one of these objects,
can execute any method (attributes whinge about a missing docstring, how
bizarre, attepting to traverse to __init__ complains the method starts
with a _ ;-) of that instance which is more than a little disturbing ;-)

I thought Zope's security policy had changed to be disallow by default,
but that really doesn't seem to be the case here :-S
What am I missing out on? Is there some mixin class I need or something
I need to acquire to make the security machinery check these objects?

confusedly and worriedly,

Chris