[Zope] security issue!

[Iago]

  The setting:

    I have a folder (call it foo/bar), on which I've unchecked Acquire
    Permissions Settings and checked Authenticated, so logins should be
    enforced when attempting to access that folder.

    In foo, I define the index_html method.

    In foo/bar I have file.txt

  The issue:

    If I try to access foo/bar, I do not get authenticated -- it _seems_
    to be going by the permissions govering foo/index_html, instead of
    foo/bar (before accessing) foo/bar/index_html (and then, lacking
    that, inheriting).

    If I try to access foo/bar/file.txt, I get asked to authenticate.

    This is wholly counterintuitive to someone who first did his
    authenticating years ago using .htaccess files -- permissions on a
    folder should affect attempts to acquire any resource within that
    folder, *regardless* of whether that resource is inherited or not!

    Is there a fix to this that doesn't involve the (less scalable)
    notion of copying the index_html method from the top into this
    directory?

Thanks

-- 
Fred Hicks <iago@iago.net>