Note that I found it to be relevant which object I want to acquire (don't ask me why, though).
Because the policy checks the roles on the acquired object? As Dieter points out, 'setDefaultAccess(deny)' should only apply to subobjects which do *not* have their own roles.
E.g. going back to my CMFDefault examples, I *can* acquire portal_workflow and portal_url, but I can *not* acquire portal_membership and acl_users from a denied context. Go figure.
If I change the test below to "app.wanted = PartlyProtectedSimpleItem3()" the test fails on current 2_7-branch ...
But that test fails on 2.7.2, as well. My change was actually to the implementation of 'guarded_getattr', which is not tested in 'testZopeSecurityPolicy' (the location of my original patch); rather, its tests are in 'testZopeGuards' (where my second patch applies).
I have not yet bee able to write a good test there yet (one which either passes on the 2.7 head and fails for 2.7.2, or vice versa).
Tres. -- =============================================================== Tres Seaver [EMAIL PROTECTED] Zope Corporation "Zope Dealers" http://www.zope.com
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce