Comment 11 for bug 142921

I looked back at this: basically, the issue here is that using 'security.declareObjectProtected' requires that you *also* set up the default role-permission mapping using 'setPermissionDefault', e.g.::

    'security.setPermissionDefault('View', ['Anonymous'])

"Local" role bindings are not available to the ClassSecurityInfo object at startup: the lazy lookup of those bindings which drives the normal protection of methods and attributes is driven by the ExtensionClass attribute getter, and can't work for the "bare" object itself.