Findings about zopes security mechanism

* You can raise a string "Unauthorized" to create a 401 Error * The user you get via sm.getUser reflects the login/password passed by the browser, not the user actually needed - that means that a script can be accessible by 'view', and still can raise an 401 from inside * The security declarations are made within the class of the objects, usually on the instances as well as on methods - via security.declareProtected Questions: * Whats the purpose of __ac_permissions, as found in PropertyTools