I looked back at this: basically, the issue here is that using 'security.declareObjectProtected' requires that you *also* set up the default role-permission mapping using 'setPermissionDefault', e.g.::
"Local" role bindings are not available to the ClassSecurityInfo object at startup: the lazy lookup of those bindings which drives the normal protection of methods and attributes is driven by the ExtensionClass attribute getter, and can't work for the "bare" object itself.
I looked back at this: basically, the issue here is that using 'security. declareObjectPr otected' requires that you *also* set up the default role-permission mapping using 'setPermissionD efault' , e.g.::
'security. setPermissionDe fault(' View', ['Anonymous'])
"Local" role bindings are not available to the ClassSecurityInfo object at startup: the lazy lookup of those bindings which drives the normal protection of methods and attributes is driven by the ExtensionClass attribute getter, and can't work for the "bare" object itself.