Basically, if you're using a ZPT with a content-type text/xml, using a TAL path expression to access an attribute or method causes a security violation (Unauthorized). It does not happen if the ZPT is using content-type text/html.
Ah, guarded_getattr is doing something wrong with Unicode attribute names, though I'm not sure exactly what.
Thanks for the pointer -- I've updated the bug.
Evan @ 4-am
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce