[Zope] security changes from 2.5 -> 2.6?

[Rob Miller]

hi there,

i'm trying to migrate a plone project from zope 2.5.1 to zope 2.6.1.  
the app relies heavily on database driven local roles information, for 
which we're using zpatterns and loginmanager.

so we've created these custom plone folders called 'teamfolders'.  
these folders are dataskins, and they override get_local_roles() and 
get_local_roles_for_userid(), returning the appropriate responses based 
on the team membership information that is in the database.  similarly, 
in our user class, we've overridden getRolesInContext().

in zope 2.5.1 this all works beautifully.  zope recognized the local 
roles and allows access accordingly.  even the 'local_roles' link on 
the security tab still works, although it doesn't allow you to delete 
the local roles that originate from the database.

when i import my product into 2.6.1, however, things don't work as 
smoothly.  everything looks like it should work... the local roles page 
still displays the right information.  a test page that i've written 
consistently displays the expected results for here.get_local_roles() 
and here.get_local_roles_for_userid(), as well as 
user.getRolesInContext().  but zope doesn't allow the access based on 
this information.  that is, even when 'teammember' is showing up on the 
user's local roles list, zope isn't allowing the user to perform 
actions that should be allowed to 'teammember'.

has something changed within zope's security implementation?  is there 
a new method that needs to be overridden that i don't know about?  does 
anyone have any other ideas why this might be happening?  i've searched 
on the zope.org site and the mailing lists to no avail...  any info 
anyone can provide would be greatly appreciated!

thanks!

-r