FWIW, I chatted about this in IRC with r33t and it does appear to be some sort of bug. The same configuration works in 2.7.3 and 2.7.4 but does not work in 2.7.5 and 2.7.6.
The suspicious things in changes.txt for 2.7.5 are:
- AccessControl/User.py: _check_context() has not been called
for authenticated users
- guarded_getattr: Restored ability to aquire "through" unprotected
contexts, broken through overzealous cleanup in Zope 2.7.3.
FWIW, I chatted about this in IRC with r33t and it does appear to be some sort of bug. The same configuration works in 2.7.3 and 2.7.4 but does not work in 2.7.5 and 2.7.6.
The suspicious things in changes.txt for 2.7.5 are:
- AccessControl/ User.py: _check_context() has not been called
for authenticated users
- guarded_getattr: Restored ability to aquire "through" unprotected
contexts, broken through overzealous cleanup in Zope 2.7.3.