Traversal Security Bug

First, I think I have partly tracked down what the security problem is that requires the use of __allow_acess_to_unprotected_subobjects__ on the archive and topic classes. After another pdb session, it seems that those classes do not have a __roles__ attribute, which the Zope security machinery wants, apparently. Actually, I think it's more than that. Even when I add a workaround of __roles__ = Acquisition.Acquired (so that the attribute is just picked up from the next persistent object it finds), things don't work properly as the security machinery chokes a little further down the line.

My best guess at the moment is that InitializeClass isn't getting called (properly?) by the Five ZCML handler for this. That's my next avenue of investigation.

Remote Authoring (aka MetaWeblogAPI)

The other news is that I've started refactoring the MetaWeblogAPI support into separate packages that implement the API with a view rather than a persistent subobject of Weblogs. This should make it easier to disable the functionality, and easier to apply it to alternative content types.

As things stand, I have a PAS IExtractionPlugin that gets user credentials from a MetaWeblog request, and a view that is largely a copy-n-paste job from the existing MetaWeblog implementation.

Some issues remain, though. While I can add the blog successfully with ScribeFire (nee Performancing) - which means at least one MetaWeblogAPI method is getting called without problem - attempts then to get category listings or otherwise use the API fail with a security error.

None of this is checked in to svn, yet. I will do so as and when it gets a little more polished.