Comment 1 for bug 143399

FWIW, I chatted about this in IRC with r33t and it does appear to be some sort of bug. The same configuration works in 2.7.3 and 2.7.4 but does not work in 2.7.5 and 2.7.6.

The suspicious things in changes.txt for 2.7.5 are:

 - AccessControl/User.py: _check_context() has not been called
   for authenticated users
- guarded_getattr: Restored ability to aquire "through" unprotected
 contexts, broken through overzealous cleanup in Zope 2.7.3.