Suppose we have a permission 'schoolbell.create' that lets users create objects.
If a user that has this permission try to add an object with an add form, he gets
an error:
[...]
File "Zope3/src/zope/interface/adapter.py", line 468, in subscribers
return [subscription(*objects) for subscription in subscriptions]
File "Zope3/src/zope/app/dublincore/timeannotators.py", line 26, in ModifiedAnnotator
dc.modified = datetime.utcnow()
Unauthorized: (<zope.app.dublincore.annotatableadapter.ZDCAnnotatableAdapter object at 0x41ab230c>, 'modified', 'zope.app.dublincore.change')
Suggested solution: unwrap the dc adapter with removeSecurityProxy in the IObjectModifiedEvent handler. After all, not all principals that can add/modify objects must have the zope.app.dublincore.change permission.
I'll commit this solution in a few moments as it keeps my functional tests from passing. The solution will not have tests as the situation requires a lot of setup to reproduce.
Suggested fix committed in revision 29304.