Use new-style security declarations everywhere possible. This means

remove the use of __ac_permissions__, foo__roles__ and default__class_init__. A few corner cases can't be converted because of circular imports.

Use new-style security declarations everywhere possible. This means
remove the use of __ac_permissions__, foo__roles__ and default__class_init__. A few corner cases can't be converted because of circular imports.
41049f78 · Florent Guillaume · 02edbfa0 · 41049f78 · 41049f78 · 41049f78
Commit 41049f78 authored Nov 21, 2005 by Florent Guillaume
54 changed files
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -26,6 +26,11 @@ Zope Changes
    Features added
+      - Use new-style security declarations everywhere possible. This
+        means remove the use of __ac_permissions__, foo__roles__ and
+        default__class_init__. A few corner cases can't be converted
+        because of circular imports.
      - Fixed unclear security declarations. Warn when an attempt is
        made to have a security declaration on a nonexistent method.

--- a/lib/python/AccessControl/Owned.py
+++ b/lib/python/AccessControl/Owned.py
@@ -16,7 +16,11 @@ $Id$
 """
 import Globals, urlparse, SpecialUsers, ExtensionClass
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 from AccessControl import getSecurityManager, Unauthorized
+from AccessControl.Permissions import view_management_screens
+from AccessControl.Permissions import take_ownership
 from Acquisition import aq_get, aq_parent, aq_base
 from zope.interface import implements
@@ -35,13 +39,8 @@ class Owned(ExtensionClass.Base):
    implements(IOwned)
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('View management screens',
+    security.setPermissionDefault(take_ownership, ('Owner',))
-         ('manage_owner', 'owner_info')),
-        ('Take ownership',
-         ('manage_takeOwnership','manage_changeOwnershipType'),
-         ("Owner",)),
-        )
    manage_options=({'label':  'Ownership',
                     'action': 'manage_owner',
@@ -50,8 +49,10 @@ class Owned(ExtensionClass.Base):
                     },
                   )
+    security.declareProtected(view_management_screens, 'manage_owner')
    manage_owner=Globals.DTMLFile('dtml/owner', globals())
+    security.declareProtected(view_management_screens, 'owner_info')
    def owner_info(self):
        """Get ownership info for display
        """
@@ -67,7 +68,7 @@ class Owned(ExtensionClass.Base):
           }
        return d
-    getOwner__roles__=()
+    security.declarePrivate('getOwner')
    def getOwner(self, info=0,
                 aq_get=aq_get,
                 UnownableOwner=UnownableOwner,
@@ -101,7 +102,7 @@ class Owned(ExtensionClass.Base):
            if user is None: user = SpecialUsers.nobody
        return user
-    getOwnerTuple__roles__=()
+    security.declarePrivate('getOwnerTuple')
    def getOwnerTuple(self):
        """Return a tuple, (userdb_path, user_id) for the owner.
@@ -111,7 +112,7 @@ class Owned(ExtensionClass.Base):
        """
        return aq_get(self, '_owner', None, 1)
-    getWrappedOwner__roles__=()
+    security.declarePrivate('getWrappedOwner')
    def getWrappedOwner(self):
        """Get the owner, modestly wrapped in the user folder.
@@ -141,7 +142,7 @@ class Owned(ExtensionClass.Base):
        return user.__of__(udb)
-    changeOwnership__roles__=()
+    security.declarePrivate('changeOwnership')
    def changeOwnership(self, user, recursive=0):
        """Change the ownership to the given user.
@@ -174,6 +175,7 @@ class Owned(ExtensionClass.Base):
        if owner == info: return 0
        return security.checkPermission('Take ownership', self)
+    security.declareProtected(take_ownership, 'manage_takeOwnership')
    def manage_takeOwnership(self, REQUEST, RESPONSE, recursive=0):
        """Take ownership (responsibility) for an object.
@@ -193,6 +195,7 @@ class Owned(ExtensionClass.Base):
        RESPONSE.redirect(REQUEST['HTTP_REFERER'])
+    security.declareProtected(take_ownership, 'manage_changeOwnershipType')
    def manage_changeOwnershipType(self, explicit=1,
                                   RESPONSE=None, REQUEST=None):
        """Change the type (implicit or explicit) of ownership.
@@ -269,7 +272,7 @@ class Owned(ExtensionClass.Base):
            except: pass
            if s is None: object._p_deactivate()
-Globals.default__class_init__(Owned)
+InitializeClass(Owned)
 class EmergencyUserCannotOwn(Exception):

--- a/lib/python/AccessControl/Role.py
+++ b/lib/python/AccessControl/Role.py
@@ -18,7 +18,10 @@ from cgi import escape
 from Globals import DTMLFile, MessageDialog, Dictionary
 from Acquisition import Implicit, Acquired, aq_get
-import Globals, ExtensionClass, PermissionMapping, Products
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import change_permissions
+import ExtensionClass, PermissionMapping, Products
 from App.Common import aq_base
 from zope.interface import implements
@@ -41,21 +44,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
    implements(IRoleManager)
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('Change permissions',
-         ('manage_access', 'permission_settings',
-          'ac_inherited_permissions',
-          'manage_roleForm', 'manage_role',
-          'manage_acquiredForm', 'manage_acquiredPermissions',
-          'manage_permissionForm', 'manage_permission',
-          'manage_changePermissions', 'permissionsOfRole',
-          'rolesOfPermission', 'acquiredRolesAreUsedBy',
-          'manage_defined_roles', 'userdefined_roles',
-          'manage_listLocalRoles', 'manage_editLocalRoles',
-          'manage_setLocalRoles', 'manage_addLocalRoles',
-          'manage_delLocalRoles'
-          )),
-        )
    manage_options=(
        {'label':'Security', 'action':'manage_access',
@@ -74,6 +63,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
    #------------------------------------------------------------
+    security.declareProtected(change_permissions, 'ac_inherited_permissions')
    def ac_inherited_permissions(self, all=0):
        # Get all permissions not defined in ourself that are inherited
        # This will be a sequence of tuples with a name as the first item and
@@ -96,6 +86,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
        return tuple(r)
+    security.declareProtected(change_permissions, 'permission_settings')
    def permission_settings(self, permission=None):
        """Return user-role permission settings.
@@ -130,11 +121,13 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
            result.append(d)
        return result
+    security.declareProtected(change_permissions, 'manage_roleForm')
    manage_roleForm=DTMLFile('dtml/roleEdit', globals(),
                             management_view='Security',
                             help_topic='Security_Manage-Role.stx',
                             help_product='OFSP')
+    security.declareProtected(change_permissions, 'manage_role')
    def manage_role(self, role_to_manage, permissions=[], REQUEST=None):
        """Change the permissions given to the given role.
        """
@@ -146,11 +139,13 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
        if REQUEST is not None: return self.manage_access(REQUEST)
+    security.declareProtected(change_permissions, 'manage_acquiredForm')
    manage_acquiredForm=DTMLFile('dtml/acquiredEdit', globals(),
                                 management_view='Security',
                                 help_topic='Security_Manage-Acquisition.stx',
                                 help_product='OFSP')
+    security.declareProtected(change_permissions, 'manage_acquiredPermissions')
    def manage_acquiredPermissions(self, permissions=[], REQUEST=None):
        """Change the permissions that acquire.
        """
@@ -165,11 +160,13 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
        if REQUEST is not None: return self.manage_access(REQUEST)
+    security.declareProtected(change_permissions, 'manage_permissionForm')
    manage_permissionForm=DTMLFile('dtml/permissionEdit', globals(),
                                   management_view='Security',
                                   help_topic='Security_Manage-Permission.stx',
                                   help_product='OFSP')
+    security.declareProtected(change_permissions, 'manage_permission')
    def manage_permission(self, permission_to_manage,
                          roles=[], acquire=0, REQUEST=None):
        """Change the settings for the given permission.
@@ -197,6 +194,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
    _method_manage_access=DTMLFile('dtml/methodAccess', globals())
+    security.declareProtected(change_permissions, 'manage_access')
    def manage_access(self, REQUEST, **kw):
        """Return an interface for making permissions settings.
        """
@@ -206,6 +204,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
        else:
            return apply(self._normal_manage_access,(), kw)
+    security.declareProtected(change_permissions, 'manage_changePermissions')
    def manage_changePermissions(self, REQUEST):
        """Change all permissions settings, called by management screen.
        """
@@ -237,6 +236,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
            message='Your changes have been saved',
            action ='manage_access')
+    security.declareProtected(change_permissions, 'permissionsOfRole')
    def permissionsOfRole(self, role):
        """Used by management screen.
        """
@@ -250,6 +250,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
                      })
        return r
+    security.declareProtected(change_permissions, 'rolesOfPermission')
    def rolesOfPermission(self, permission):
        """Used by management screen.
        """
@@ -269,6 +270,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
        raise ValueError, (
            "The permission <em>%s</em> is invalid." % escape(permission))
+    security.declareProtected(change_permissions, 'acquiredRolesAreUsedBy')
    def acquiredRolesAreUsedBy(self, permission):
        """Used by management screen.
        """
@@ -293,11 +295,13 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
    __ac_local_roles__=None
+    security.declareProtected(change_permissions, 'manage_listLocalRoles')
    manage_listLocalRoles=DTMLFile('dtml/listLocalRoles', globals(),
                                   management_view='Security',
                                   help_topic='Security_Local-Roles.stx',
                                   help_product='OFSP')
+    security.declareProtected(change_permissions, 'manage_editLocalRoles')
    manage_editLocalRoles=DTMLFile('dtml/editLocalRoles', globals(),
                                   management_view='Security',
                                   help_topic='Security_User-Local-Roles.stx',
@@ -353,6 +357,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
        dict=self.__ac_local_roles__ or {}
        return tuple(dict.get(userid, []))
+    security.declareProtected(change_permissions, 'manage_addLocalRoles')
    def manage_addLocalRoles(self, userid, roles, REQUEST=None):
        """Set local roles for a user."""
        if not roles:
@@ -370,6 +375,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
            stat='Your changes have been saved.'
            return self.manage_listLocalRoles(self, REQUEST, stat=stat)
+    security.declareProtected(change_permissions, 'manage_setLocalRoles')
    def manage_setLocalRoles(self, userid, roles, REQUEST=None):
        """Set local roles for a user."""
        if not roles:
@@ -383,6 +389,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
            stat='Your changes have been saved.'
            return self.manage_listLocalRoles(self, REQUEST, stat=stat)
+    security.declareProtected(change_permissions, 'manage_delLocalRoles')
    def manage_delLocalRoles(self, userids, REQUEST=None):
        """Remove all local roles for a user."""
        dict=self.__ac_local_roles__
@@ -398,7 +405,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
    #------------------------------------------------------------
-    access_debug_info__roles__=()
+    security.declarePrivate('access_debug_info')
    def access_debug_info(self):
        """Return debug info.
        """
@@ -450,6 +457,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
                return 0
        return 1
+    security.declareProtected(change_permissions, 'userdefined_roles')
    def userdefined_roles(self):
        """Return list of user-defined roles.
        """
@@ -459,6 +467,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
            except: pass
        return tuple(roles)
+    security.declareProtected(change_permissions, 'manage_defined_roles')
    def manage_defined_roles(self, submit=None, REQUEST=None):
        """Called by management screen.
        """
@@ -534,7 +543,7 @@ class RoleManager(ExtensionClass.Base, PermissionMapping.RoleManager):
        return d
-Globals.default__class_init__(RoleManager)
+InitializeClass(RoleManager)
 def reqattr(request, attr):

--- a/lib/python/AccessControl/User.py
+++ b/lib/python/AccessControl/User.py
@@ -20,10 +20,12 @@ import re
 import socket
 from base64 import decodestring
-import Globals
 from Acquisition import Implicit
 from App.Management import Navigation, Tabs
 from Globals import DTMLFile, MessageDialog, Persistent, PersistentMapping
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import manage_users as ManageUsers
 from OFS.SimpleItem import Item
 from zExceptions import Unauthorized, BadRequest
 from zope.interface import implements
@@ -459,6 +461,8 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
    encrypt_passwords = 1
+    security = ClassSecurityInfo()
    manage_options=(
        (
        {'label':'Contents', 'action':'manage_main',
@@ -470,32 +474,26 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
        +Item.manage_options
        )
-    __ac_permissions__=(
-        ('Manage users',
-         ('manage_users','getUserNames', 'getUser', 'getUsers',
-          'getUserById', 'user_names', 'setDomainAuthenticationMode',
-          'userFolderAddUser', 'userFolderEditUser', 'userFolderDelUsers',
-          )
-         ),
-        )
    # ----------------------------------
    # Public UserFolder object interface
    # ----------------------------------
+    security.declareProtected(ManageUsers, 'getUserNames')
    def getUserNames(self):
        """Return a list of usernames"""
        raise NotImplementedError
+    security.declareProtected(ManageUsers, 'getUsers')
    def getUsers(self):
        """Return a list of user objects"""
        raise NotImplementedError
+    security.declareProtected(ManageUsers, 'getUser')
    def getUser(self, name):
        """Return the named user object or None"""
        raise NotImplementedError
+    security.declareProtected(ManageUsers, 'getUserById')
    def getUserById(self, id, default=None):
        """Return the user corresponding to the given id.
        """
@@ -534,6 +532,8 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
    # Authors of custom user folders don't need to do anything special to
    # support these - they will just call the appropriate '_' methods that
    # user folder subclasses already implement.
+    security.declareProtected(ManageUsers, 'userFolderAddUser')
    def userFolderAddUser(self, name, password, roles, domains, **kw):
        """API method for creating a new user object. Note that not all
           user folder implementations support dynamic creation of user
@@ -542,6 +542,7 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
            return self._doAddUser(name, password, roles, domains, **kw)
        raise NotImplementedError
+    security.declareProtected(ManageUsers, 'userFolderEditUser')
    def userFolderEditUser(self, name, password, roles, domains, **kw):
        """API method for changing user object attributes. Note that not
           all user folder implementations support changing of user object
@@ -550,6 +551,7 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
            return self._doChangeUser(name, password, roles, domains, **kw)
        raise NotImplementedError
+    security.declareProtected(ManageUsers, 'userFolderDelUsers')
    def userFolderDelUsers(self, names):
        """API method for deleting one or more user objects. Note that not
           all user folder implementations support deletion of user objects."""
@@ -929,6 +931,7 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
        self._doDelUsers(names)
        if REQUEST: return self._mainUser(self, REQUEST)
+    security.declareProtected(ManageUsers, 'manage_users')
    def manage_users(self,submit=None,REQUEST=None,RESPONSE=None):
        """This method handles operations on users for the web based forms
           of the ZMI. Application code (code that is outside of the forms
@@ -968,6 +971,7 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
        return self._mainUser(self, REQUEST)
+    security.declareProtected(ManageUsers, 'user_names')
    def user_names(self):
        return self.getUserNames()
@@ -994,6 +998,7 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
    # Domain authentication support. This is a good candidate to
    # become deprecated in future Zope versions.
+    security.declareProtected(ManageUsers, 'setDomainAuthenticationMode')
    def setDomainAuthenticationMode(self, domain_auth_mode):
        """Set the domain-based authentication mode. By default, this
           mode is off due to the high overhead of the operation that
@@ -1098,7 +1103,7 @@ class UserFolder(BasicUserFolder):
                    pass
-Globals.default__class_init__(UserFolder)
+InitializeClass(UserFolder)
 def manage_addUserFolder(self,dtself=None,REQUEST=None,**ignored):

--- a/lib/python/App/ApplicationManager.py
+++ b/lib/python/App/ApplicationManager.py
@@ -15,6 +15,7 @@ __doc__="""System management components"""
 __version__='$Revision: 1.94 $'[11:-2]
 import sys,os,time,Globals, Acquisition, os, Undo
+from Globals import InitializeClass
 from Globals import DTMLFile
 from OFS.ObjectManager import ObjectManager
 from OFS.Folder import Folder
@@ -69,8 +70,8 @@ class DatabaseManager(Fake, SimpleItem.Item, Acquisition.Implicit):
    manage_cacheParameters=Globals.DTMLFile('dtml/cacheParameters', globals())
    manage_cacheGC=Globals.DTMLFile('dtml/cacheGC', globals())
+InitializeClass(DatabaseManager)
-Globals.default__class_init__(DatabaseManager)
 class FakeConnection:
    # Supports the methods of Connection that CacheManager needs
@@ -133,7 +134,7 @@ class DatabaseChooser (SimpleItem.SimpleItem):
            res.append(m.__of__(self))
        return res
-Globals.InitializeClass(DatabaseChooser)
+InitializeClass(DatabaseChooser)
 class VersionManager(Fake, SimpleItem.Item, Acquisition.Implicit):
@@ -152,7 +153,7 @@ class VersionManager(Fake, SimpleItem.Item, Acquisition.Implicit):
        )
        )
-Globals.default__class_init__(VersionManager)
+InitializeClass(VersionManager)
@@ -264,7 +265,7 @@ class DebugManager(Fake, SimpleItem.Item, Acquisition.Implicit):
    def manage_getSysPath(self):
        return list(sys.path)
-Globals.default__class_init__(DebugManager)
+InitializeClass(DebugManager)

--- a/lib/python/App/CacheManager.py
+++ b/lib/python/App/CacheManager.py
@@ -20,6 +20,7 @@ __version__='$Revision: 1.31 $'[11:-2]
 import time
 import Globals
+from Globals import InitializeClass
 from DateTime import DateTime
 class CacheManager:
@@ -294,5 +295,4 @@ class CacheManager:
               }
        return res
+InitializeClass(CacheManager)
-Globals.default__class_init__(CacheManager)
--- a/lib/python/App/DavLockManager.py
+++ b/lib/python/App/DavLockManager.py
@@ -14,6 +14,7 @@
 __version__ = "$Revision: 1.8 $"[11:-2]
 import OFS, Acquisition, Globals
+from Globals import InitializeClass
 from AccessControl import getSecurityManager, ClassSecurityInfo
 from webdav.Lockable import wl_isLocked
@@ -104,5 +105,4 @@ class DavLockManager(OFS.SimpleItem.Item, Acquisition.Implicit):
        return result
+InitializeClass(DavLockManager)
-Globals.default__class_init__(DavLockManager)
--- a/lib/python/App/Factory.py
+++ b/lib/python/App/Factory.py
@@ -16,6 +16,10 @@ $Id$'''
 __version__='$Revision: 1.27 $'[11:-2]
 import OFS.SimpleItem, Acquisition, Globals, AccessControl.Role
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import edit_factories
+from AccessControl.Permissions import use_factories
 class Factory(
    AccessControl.Role.RoleManager,
@@ -25,15 +29,13 @@ class Factory(
    meta_type='Zope Factory'
    icon='p_/Factory_icon'
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(use_factories)
    permission='' # Waaaa
    _setObject=_getOb=Acquisition.Acquired
-    __ac_permissions__=(
-        ('Edit Factories', ('manage_edit','manage_main')),
-        ('Use Factories', ('index_html','')),
-        )
    manage_options=(
        (
        {'label':'Edit', 'action':'manage_main',
@@ -50,11 +52,12 @@ class Factory(
        self.initial=initial
        self.permission=permission
-    initializePermission__roles__ = ()
+    security.declarePrivate('initializePermission')
    def initializePermission(self):
-        self.manage_setPermissionMapping(('Use Factories',),
+        self.manage_setPermissionMapping((use_factories,),
                                         (self.permission,))
+    security.declareProtected(edit_factories, 'manage_edit')
    def manage_edit(self, title, object_type, initial, permission='',
                    REQUEST=None):
        "Modify factory properties."
@@ -63,7 +66,7 @@ class Factory(
        self.object_type=object_type
        self.initial=initial
        self.permission=permission
-        self.manage_setPermissionMapping(('Use Factories',), (permission,))
+        self.manage_setPermissionMapping((use_factories,), (permission,))
        self._register()
        if REQUEST is not None: return self.manage_main(self, REQUEST)
@@ -100,8 +103,10 @@ class Factory(
        product.aq_acquire('_manage_remove_product_meta_type')(
            product, self.id, self.object_type)
+    security.declareProtected(edit_factories, 'manage_main')
    manage_main=Globals.DTMLFile('dtml/editFactory',globals())
+    security.declareProtected(use_factories, 'index_html')
    def index_html(self, REQUEST):
        " "
        return getattr(self, self.initial)(self.aq_parent, REQUEST)
@@ -112,4 +117,7 @@ class Factory(
            self.aq_parent.objectIds()
            )
+InitializeClass(Factory)
 class ProductFactory(Factory): pass
--- a/lib/python/App/FactoryDispatcher.py
+++ b/lib/python/App/FactoryDispatcher.py
@@ -14,6 +14,8 @@
 # Implement the manage_addProduct method of object managers
 import Acquisition, sys, Products
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 from AccessControl.PermissionMapping import aqwrap
 from AccessControl.Owned import UnownableOwner
@@ -41,6 +43,8 @@ class FactoryDispatcher(Acquisition.Implicit):
    """Provide a namespace for product "methods"
    """
+    security = ClassSecurityInfo()
    _owner=UnownableOwner
    def __init__(self, product, dest, REQUEST=None):
@@ -55,13 +59,15 @@ class FactoryDispatcher(Acquisition.Implicit):
                v=v[:v.rfind('/')]
                self._u=v[:v.rfind('/')]
+    security.declarePublic('Destination')
    def Destination(self):
        "Return the destination for factory output"
        return self.__dict__['_d'] # we don't want to wrap the result!
-    this=Destination
-    this__roles__=Destination__roles__=None
+    security.declarePublic('this')
+    this=Destination
+    security.declarePublic('DestinationURL')
    def DestinationURL(self):
        "Return the URL for the destination for factory output"
        url=getattr(self, '_u', None)
@@ -69,8 +75,6 @@ class FactoryDispatcher(Acquisition.Implicit):
            url=self.Destination().absolute_url()
        return url
-    DestinationURL__roles__=None
    def __getattr__(self, name):
        p=self.__dict__['_product']
        d=p.__dict__
@@ -102,3 +106,4 @@ class FactoryDispatcher(Acquisition.Implicit):
        d = update_menu and '/manage_main?update_menu=1' or '/manage_main'
        REQUEST['RESPONSE'].redirect(self.DestinationURL()+d)
+InitializeClass(FactoryDispatcher)
--- a/lib/python/App/ImageFile.py
+++ b/lib/python/App/ImageFile.py
@@ -17,6 +17,8 @@ __version__='$Revision: 1.20 $'[11:-2]
 import os
 import time
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 from App.config import getConfiguration
 from OFS.content_types import guess_content_type
 from Globals import package_home
@@ -28,6 +30,8 @@ import Globals
 class ImageFile(Acquisition.Explicit):
    """Image objects stored in external files."""
+    security = ClassSecurityInfo()
    def __init__(self,path,_prefix=None):
        if _prefix is None:
            _prefix=getConfiguration().softwarehome
@@ -84,7 +88,7 @@ class ImageFile(Acquisition.Explicit):
        return open(self.path,'rb').read()
-    HEAD__roles__=None
+    security.declarePublic('HEAD')
    def HEAD(self, REQUEST, RESPONSE):
        """ """
        RESPONSE.setHeader('Content-Type', self.content_type)
@@ -97,3 +101,5 @@ class ImageFile(Acquisition.Explicit):
    def __str__(self):
        return '<img src="%s" alt="" />' % self.__name__
+InitializeClass(ImageFile)
--- a/lib/python/App/Management.py
+++ b/lib/python/App/Management.py
@@ -15,10 +15,13 @@
 $Id$
 """
-import sys, Globals, ExtensionClass, urllib
+import sys, ExtensionClass, urllib
 from Globals import DTMLFile, HTMLFile
+from Globals import InitializeClass
 from zExceptions import Redirect
 from AccessControl import getSecurityManager, Unauthorized
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import view_management_screens
 from cgi import escape
 from zope.interface import implements
@@ -28,13 +31,15 @@ from interfaces import INavigation
 class Tabs(ExtensionClass.Base):
    """Mix-in provides management folder tab support."""
-    manage_tabs__roles__=('Anonymous',)
+    security = ClassSecurityInfo()
+    security.declarePublic('manage_tabs')
    manage_tabs=DTMLFile('dtml/manage_tabs', globals())
    manage_options  =()
-    filtered_manage_options__roles__=None
+    security.declarePublic('filtered_manage_options')
    def filtered_manage_options(self, REQUEST=None):
        validate=getSecurityManager().validate
@@ -131,7 +136,7 @@ class Tabs(ExtensionClass.Base):
        out.append(last)
        return '/'.join(out)
-    class_manage_path__roles__=None
+    security.declarePublic('class_manage_path')
    def class_manage_path(self):
        if self.__class__.__module__[:1] != '*':
            return
@@ -150,7 +155,7 @@ class Tabs(ExtensionClass.Base):
        if path:
            return '/Control_Panel/Products/%s/manage_workspace' % path
-Globals.default__class_init__(Tabs)
+InitializeClass(Tabs)
 class Navigation(ExtensionClass.Base):
@@ -158,36 +163,38 @@ class Navigation(ExtensionClass.Base):
    implements(INavigation)
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('View management screens',
-         ('manage', 'manage_menu', 'manage_top_frame',
-          'manage_page_header',
-          'manage_page_footer',
-          )),
-        )
+    security.declareProtected(view_management_screens, 'manage')
    manage            =DTMLFile('dtml/manage', globals())
+    security.declareProtected(view_management_screens, 'manage_menu')
    manage_menu       =DTMLFile('dtml/menu', globals())
+    security.declareProtected(view_management_screens, 'manage_top_frame')
    manage_top_frame  =DTMLFile('dtml/manage_top_frame', globals())
+    security.declareProtected(view_management_screens, 'manage_page_header')
    manage_page_header=DTMLFile('dtml/manage_page_header', globals())
+    security.declareProtected(view_management_screens, 'manage_page_footer')
    manage_page_footer=DTMLFile('dtml/manage_page_footer', globals())
+    security.declarePublic('manage_form_title')
    manage_form_title =DTMLFile('dtml/manage_form_title', globals(),
                                form_title='Add Form',
                                help_product=None,
                                help_topic=None)
    manage_form_title._setFuncSignature(
        varnames=('form_title', 'help_product', 'help_topic') )
-    manage_form_title__roles__ = None
+    security.declarePublic('zope_quick_start')
    zope_quick_start=DTMLFile('dtml/zope_quick_start', globals())
-    zope_quick_start__roles__=None
+    security.declarePublic('manage_copyright')
    manage_copyright=DTMLFile('dtml/copyright', globals())
-    manage_copyright__roles__ = None
-    manage_zmi_logout__roles__ = None
+    security.declarePublic('manage_zmi_logout')
    def manage_zmi_logout(self, REQUEST, RESPONSE):
        """Logout current user"""
        p = getattr(REQUEST, '_logout_path', None)
@@ -207,12 +214,14 @@ You have been logged out.
 </html>""")
        return
+    security.declarePublic('manage_zmi_prefs')
    manage_zmi_prefs=DTMLFile('dtml/manage_zmi_prefs', globals())
-    manage_zmi_prefs__roles__ = None
+# Navigation doesn't have an inherited __class_init__ so doesn't get
+# initialized automatically.
 file = DTMLFile('dtml/manage_page_style.css', globals())
+Navigation.security.declarePublic('manage_page_style.css')
 setattr(Navigation, 'manage_page_style.css', file)
-setattr(Navigation, 'manage_page_style.css__roles__', None)
-Globals.default__class_init__(Navigation)
+InitializeClass(Navigation)
--- a/lib/python/App/Product.py
+++ b/lib/python/App/Product.py
@@ -41,10 +41,12 @@ from urllib import quote
 import transaction
 import Globals, OFS.Folder, OFS.SimpleItem,  Acquisition, Products
+from Globals import InitializeClass
 import ZClasses, AccessControl.Owned
 from OFS.Folder import Folder
 from HelpSys.HelpSys import ProductHelp
 from AccessControl import Unauthorized
+from AccessControl import ClassSecurityInfo
 from Factory import Factory
 from Permission import PermissionManager
@@ -79,12 +81,15 @@ class ProductFolder(Folder):
    def _canCopy(self, op=0):
        return 0
-Globals.InitializeClass(ProductFolder)
+InitializeClass(ProductFolder)
 class Product(Folder, PermissionManager):
    """Model a product that can be created through the web.
    """
+    security =  ClassSecurityInfo()
    meta_type='Product'
    icon='p_/Product_icon'
    version=''
@@ -171,15 +176,15 @@ class Product(Folder, PermissionManager):
        except:
            pass
+    security.declarePublic('Destination')
    def Destination(self):
        "Return the destination for factory output"
        return self
-    Destination__roles__=None
+    security.declarePublic('DestinationURL')
    def DestinationURL(self):
        "Return the URL for the destination for factory output"
        return self.REQUEST['BASE4']
-    DestinationURL__roles__=None
    def manage_distribute(self, version, RESPONSE, configurable_objects=[],
                          redistributable=0):
@@ -419,7 +424,7 @@ class Product(Folder, PermissionManager):
        if REQUEST is not None:
            return self.manage_refresh(REQUEST)
-Globals.InitializeClass(Product)
+InitializeClass(Product)
 class CompressedOutputFile:

--- a/lib/python/App/Undo.py
+++ b/lib/python/App/Undo.py
@@ -16,7 +16,10 @@ $Id$
 """
 from Acquisition import aq_base, aq_parent, aq_inner
+from Globals import InitializeClass
 from AccessControl import getSecurityManager
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import undo_changes
 from DateTime import DateTime
 import Globals, ExtensionClass
 from ZopeUndo.Prefix import Prefix
@@ -30,19 +33,14 @@ class UndoSupport(ExtensionClass.Base):
    implements(IUndoSupport)
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('Undo changes', (
-            'manage_undo_transactions',
-            'undoable_transactions',
-            'manage_UndoForm',
-            )),
-        )
    manage_options=(
        {'label':'Undo', 'action':'manage_UndoForm',
         'help':('OFSP','Undo.stx')},
        )
+    security.declareProtected(undo_changes, 'manage_UndoForm')
    manage_UndoForm=Globals.DTMLFile(
        'dtml/undo',
        globals(),
@@ -64,6 +62,7 @@ class UndoSupport(ExtensionClass.Base):
            else: v=default
            return v
+    security.declareProtected(undo_changes, 'undoable_transactions')
    def undoable_transactions(self, first_transaction=None,
                              last_transaction=None,
                              PrincipiaUndoBatchSize=None):
@@ -123,6 +122,7 @@ class UndoSupport(ExtensionClass.Base):
        return r
+    security.declareProtected(undo_changes, 'manage_undo_transactions')
    def manage_undo_transactions(self, transaction_info=(), REQUEST=None):
        """
        """
@@ -139,7 +139,7 @@ class UndoSupport(ExtensionClass.Base):
        REQUEST['RESPONSE'].redirect("%s/manage_UndoForm" % REQUEST['URL1'])
        return ''
-Globals.default__class_init__(UndoSupport)
+InitializeClass(UndoSupport)
 ########################################################################
 # Blech, need this cause binascii.b2a_base64 is too pickly

--- a/lib/python/Globals/__init__.py
+++ b/lib/python/Globals/__init__.py
@@ -26,12 +26,12 @@ import TreeDisplay
 from App.Common import package_home, attrget, Dictionary
 from App.config import getConfiguration as _getConfiguration
 from Persistence import Persistent, PersistentMapping
-from App.special_dtml import HTML, HTMLFile, DTMLFile
 from App.class_init import default__class_init__, ApplicationDefaultPermissions
 # Nicer alias for class initializer.
 InitializeClass = default__class_init__
+from App.special_dtml import HTML, HTMLFile, DTMLFile
 from App.Dialogs import MessageDialog
 from App.ImageFile import ImageFile

--- a/lib/python/HelpSys/HelpSys.py
+++ b/lib/python/HelpSys/HelpSys.py
@@ -15,12 +15,16 @@ import Acquisition
 from OFS.SimpleItem import Item
 from OFS.ObjectManager import ObjectManager
 from Globals import Persistent, DTMLFile, HTML
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import access_contents_information
+from AccessControl.Permissions import add_documents_images_and_files
+from AccessControl.Permissions import view as View
 from Products.ZCatalog.ZCatalog import ZCatalog
 from Products.ZCatalog.Lazy import LazyCat
 from cgi import escape
 import Products
 import HelpTopic
-import Globals
 class HelpSys(Acquisition.Implicit, ObjectManager, Item, Persistent):
    """
@@ -30,22 +34,18 @@ class HelpSys(Acquisition.Implicit, ObjectManager, Item, Persistent):
    """
    meta_type='Help System'
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(View)
    manage_options=(
        {'label' : 'Contents', 'action' : 'menu'},
        {'label' : 'Search', 'action' : 'search'},
    )
-    __ac_permissions__=(
-        ('View',
-         ('__call__', 'searchResults', 'HelpButton', '',
-          'index_html', 'menu', 'search', 'results', 'main',
-          'helpLink')),
-        ('Access contents information', ('helpValues',)),
-        )
    def __init__(self, id='HelpSys'):
        self.id=id
+    security.declareProtected(access_contents_information, 'helpValues')
    def helpValues(self, spec=None):
        "ProductHelp objects of all Products that have help"
        hv=[]
@@ -59,6 +59,8 @@ class HelpSys(Acquisition.Implicit, ObjectManager, Item, Persistent):
    # Seaching does an aggregated search of all ProductHelp
    # objects. Only Help Topics for which the user has permissions
    # are returned.
+    security.declareProtected(View, '__call__')
    def __call__(self, REQUEST=None, **kw):
        "Searchable interface"
        if REQUEST is not None:
@@ -73,18 +75,29 @@ class HelpSys(Acquisition.Implicit, ObjectManager, Item, Persistent):
            results.append(apply(getattr(ph, '__call__'), (REQUEST,) , kw))
        return LazyCat(results)
+    security.declareProtected(View, 'searchResults')
    searchResults=__call__
+    security.declareProtected(View, 'index_html')
    index_html=DTMLFile('dtml/frame', globals())
+    security.declareProtected(View, 'menu')
    menu=DTMLFile('dtml/menu', globals())
+    security.declareProtected(View, 'search')
    search=DTMLFile('dtml/search', globals())
+    security.declareProtected(View, 'results')
    results=DTMLFile('dtml/results', globals())
+    security.declareProtected(View, 'main')
    main=HTML("""<html></html>""")
    standard_html_header=DTMLFile('dtml/menu_header', globals())
    standard_html_footer=DTMLFile('dtml/menu_footer', globals())
    button=DTMLFile('dtml/button', globals())
+    security.declareProtected(View, 'HelpButton')
    def HelpButton(self, topic, product):
        """
        Insert a help button linked to a help topic.
@@ -93,6 +106,7 @@ class HelpSys(Acquisition.Implicit, ObjectManager, Item, Persistent):
    helpURL=DTMLFile('dtml/helpURL',globals())
+    security.declareProtected(View, 'helpLink')
    def helpLink(self, product='OFSP', topic='ObjectManager_Contents.stx'):
        # Generate an <a href...> tag linking to a help topic. This
        # is a little lighter weight than the help button approach.
@@ -133,7 +147,7 @@ class HelpSys(Acquisition.Implicit, ObjectManager, Item, Persistent):
            cols.append(TreeCollection(k,v,0))
        return cols
-Globals.default__class_init__(HelpSys)
+InitializeClass(HelpSys)
 class TreeCollection:
@@ -188,6 +202,8 @@ class ProductHelp(Acquisition.Implicit, ObjectManager, Item, Persistent):
    meta_type='Product Help'
    icon='p_/ProductHelp_icon'
+    security = ClassSecurityInfo()
    lastRegistered=None
    meta_types=({'name':'Help Topic',
@@ -200,10 +216,6 @@ class ProductHelp(Acquisition.Implicit, ObjectManager, Item, Persistent):
        Item.manage_options
        )
-    __ac_permissions__=(
-        ('Add Documents, Images, and Files', ('addTopicForm', 'addTopic')),
-        )
    def __init__(self, id='Help', title=''):
        self.id=id
        self.title=title
@@ -222,8 +234,10 @@ class ProductHelp(Acquisition.Implicit, ObjectManager, Item, Persistent):
        c.addColumn('url')
        c.addColumn('id')
+    security.declareProtected(add_documents_images_and_files, 'addTopicForm')
    addTopicForm=DTMLFile('dtml/addTopic', globals())
+    security.declareProtected(add_documents_images_and_files, 'addTopic')
    def addTopic(self, id, title, REQUEST=None):
        "Add a Help Topic"
        topic=HelpTopic.DTMLDocumentTopic(
@@ -295,5 +309,4 @@ class ProductHelp(Acquisition.Implicit, ObjectManager, Item, Persistent):
    standard_html_header=DTMLFile('dtml/topic_header', globals())
    standard_html_footer=DTMLFile('dtml/topic_footer', globals())
+InitializeClass(ProductHelp)
-Globals.default__class_init__(ProductHelp)
--- a/lib/python/HelpSys/HelpTopic.py
+++ b/lib/python/HelpSys/HelpTopic.py
@@ -15,6 +15,10 @@ import Acquisition
 from ComputedAttribute import ComputedAttribute
 from OFS.SimpleItem import Item
 from Globals import Persistent, HTML, DTMLFile, ImageFile
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import access_contents_information
+from AccessControl.Permissions import view as View
 from OFS.DTMLDocument import DTMLDocument
 from OFS.PropertyManager import PropertyManager
 import os.path
@@ -115,15 +119,18 @@ class HelpTopic(Acquisition.Implicit, HelpTopicBase, Item, PropertyManager, Pers
    icon='p_/HelpTopic_icon'
    _v_last_read = 0
+    security = ClassSecurityInfo()
    manage_options=(
        {'label':'Properties', 'action':'manage_propertiesForm'},
        {'label':'View', 'action':'index_html'},
        )
-    __ac_permissions__=(
+    security.declareProtected(View, 'SearchableText')
-        ('View', ('index_html', 'SearchableText', 'url')),
-        ('Access contents information', ('helpValues',)),
+    security.declareProtected(View, 'url')
-        )
+    security.declareProtected(access_contents_information, 'helpValues')
    def _set_last_read(self, filepath):
        try:    mtime = os.stat(filepath)[8]
@@ -141,10 +148,13 @@ class HelpTopic(Acquisition.Implicit, HelpTopicBase, Item, PropertyManager, Pers
                self._v_last_read=mtime
                self.reindex_object()
+    security.declareProtected(View, 'index_html')
    def index_html(self, REQUEST, RESPONSE):
        "View the Help Topic"
        raise NotImplementedError
+InitializeClass(HelpTopic)
 class DTMLDocumentTopic(HelpTopicBase, DTMLDocument):
    """

--- a/lib/python/HelpSys/ObjectRef.py
+++ b/lib/python/HelpSys/ObjectRef.py
@@ -15,6 +15,8 @@
 __version__='$Revision: 1.10 $'[11:-2]
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 import sys, os,  Globals, Acquisition
 from HelpUtil import HelpBase, classobject
 from HelpUtil import is_class, is_module
@@ -26,7 +28,8 @@ from urllib import quote
 class ObjectItem(HelpBase, classobject):
    """ """
-    __roles__=None
+    security = ClassSecurityInfo()
+    security.declareObjectPublic()
    hs_main=DTMLFile('dtml/objectitem', globals())
@@ -75,16 +78,19 @@ class ObjectItem(HelpBase, classobject):
        del mdict
        return mlist
-    hs_objectvalues__roles__=None
+    security.declarePublic('hs_objectvalues')
    def hs_objectvalues(self):
        return []
+InitializeClass(ObjectItem)
 class ObjectRef(HelpBase):
    """ """
+    security = ClassSecurityInfo()
+    security.declareObjectPublic()
    __names__=None
-    __roles__=None
    hs_main=DTMLFile('dtml/objectref', globals())
@@ -129,7 +135,7 @@ class ObjectRef(HelpBase):
                dict=self.hs_search_mod(v, dict)
        return dict
-    hs_objectvalues__roles__=None
+    security.declarePublic('hs_objectvalues')
    def hs_objectvalues(self):
        if self.__names__ is None:
            self.hs_deferred__init__()
@@ -140,3 +146,5 @@ class ObjectRef(HelpBase):
    def __getitem__(self, key):
        return self.__dict__[key].__of__(self)
+InitializeClass(ObjectRef)
--- a/lib/python/OFS/Application.py
+++ b/lib/python/OFS/Application.py
@@ -22,6 +22,8 @@ from warnings import warn
 import Globals, Products, App.Product, App.ProductRegistry
 import transaction
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 from AccessControl.User import UserFolder
 from Acquisition import aq_base
 from App.ApplicationManager import ApplicationManager
@@ -51,8 +53,9 @@ class Application(Globals.ApplicationDefaultPermissions,
    implements(IApplication)
+    security = ClassSecurityInfo()
    title ='Zope'
-    #__roles__=['Manager', 'Anonymous']
    __defined_roles__=('Manager','Anonymous','Owner')
    web__form__method='GET'
    isTopLevelPrincipiaApplicationObject=1
@@ -103,7 +106,7 @@ class Application(Globals.ApplicationDefaultPermissions,
        return self.title
    def __class_init__(self):
-        Globals.default__class_init__(self)
+        InitializeClass(self)
    def PrincipiaRedirect(self, destination, URL1):
        """Utility function to allow user-controlled redirects"""
@@ -135,7 +138,7 @@ class Application(Globals.ApplicationDefaultPermissions,
    ZopeTime = PrincipiaTime
-    ZopeAttributionButton__roles__=None
+    security.declarePublic('ZopeAttributionButton')
    def ZopeAttributionButton(self):
        """Returns an HTML fragment that displays the 'powered by zope'
        button along with a link to the Zope site."""
@@ -194,7 +197,7 @@ class Application(Globals.ApplicationDefaultPermissions,
        # We're at the base of the path.
        return ('',)
-    fixupZClassDependencies__roles__=()
+    security.declarePrivate('fixupZClassDependencies')
    def fixupZClassDependencies(self, rebuild=0):
        # Note that callers should not catch exceptions from this method
        # to ensure that the transaction gets aborted if the registry
@@ -252,7 +255,7 @@ class Application(Globals.ApplicationDefaultPermissions,
        return result
-    checkGlobalRegistry__roles__=()
+    security.declarePrivate('checkGlobalRegistry')
    def checkGlobalRegistry(self):
        """Check the global (zclass) registry for problems, which can
        be caused by things like disk-based products being deleted.
@@ -268,19 +271,21 @@ class Application(Globals.ApplicationDefaultPermissions,
            return 1
        return 0
-    _setInitializerRegistry__roles__ = ()
+    security.declarePrivate('_setInitializerFlag')
    def _setInitializerFlag(self, flag):
        if self._initializer_registry is None:
            self._initializer_registry = {}
        self._initializer_registry[flag] = 1
-    _getInitializerRegistry__roles__ = ()
+    security.declarePrivate('_getInitializerFlag')
    def _getInitializerFlag(self, flag):
        reg = self._initializer_registry
        if reg is None:
            reg = {}
        return reg.get(flag)
+InitializeClass(Application)
 class Expired(Globals.Persistent):
@@ -645,7 +650,7 @@ def install_products(app):
                        folder_permissions, raise_exc=debug_mode)
    Products.meta_types=Products.meta_types+tuple(meta_types)
-    Globals.default__class_init__(Folder.Folder)
+    InitializeClass(Folder.Folder)
 def get_products():
    """ Return a list of tuples in the form:
@@ -923,7 +928,7 @@ def reinstall_product(app, product_name):
            break
    Products.meta_types=Products.meta_types+tuple(meta_types)
-    Globals.default__class_init__(Folder.Folder)
+    InitializeClass(Folder.Folder)
 def reimport_product(product_name):

--- a/lib/python/OFS/Cache.py
+++ b/lib/python/OFS/Cache.py
@@ -16,16 +16,19 @@ $Id$
 """
 import time, sys
 import Globals
+from Globals import InitializeClass
 from Globals import DTMLFile
 from Acquisition import aq_get, aq_acquire, aq_inner, aq_parent, aq_base
 from zLOG import LOG, WARNING
+from AccessControl import ClassSecurityInfo
 from AccessControl import getSecurityManager
 from AccessControl.Role import _isBeingUsedAsAMethod
 from AccessControl import Unauthorized
+from AccessControl.Permissions import view_management_screens
 ZCM_MANAGERS = '__ZCacheManager_ids__'
-ViewManagementScreensPermission = 'View management screens'
+ViewManagementScreensPermission = view_management_screens
 ChangeCacheSettingsPermission = 'Change cache settings'
@@ -86,21 +89,11 @@ class Cacheable:
        'help':('OFSP','Cacheable-properties.stx'),
        },)
-    __ac_permissions__ = (
+    security = ClassSecurityInfo()
-        (ViewManagementScreensPermission,
+    security.setPermissionDefault(ChangeCacheSettingsPermission, ('Manager',))
-         ('ZCacheable_manage',
-          'ZCacheable_invalidate',
-          'ZCacheable_enabled',
-          'ZCacheable_getManagerId',
-          'ZCacheable_getManagerIds',
-          'ZCacheable_configHTML',
-          )),
-        (ChangeCacheSettingsPermission,
-         ('ZCacheable_setManagerId',
-          'ZCacheable_setEnabled',
-          ), ('Manager',)),
-        )
+    security.declareProtected(ViewManagementScreensPermission,
+                              'ZCacheable_manage')
    ZCacheable_manage = DTMLFile('dtml/cacheable', globals())
    _v_ZCacheable_cache = None
@@ -109,7 +102,7 @@ class Cacheable:
    __enabled = 1
    _isCacheable = 1
-    ZCacheable_getManager__roles__ = ()
+    security.declarePrivate('ZCacheable_getManager')
    def ZCacheable_getManager(self):
        '''Returns the currently associated cache manager.'''
        manager_id = self.__manager_id
@@ -122,7 +115,7 @@ class Cacheable:
        except AttributeError:
            return None
-    ZCacheable_getCache__roles__ = ()
+    security.declarePrivate('ZCacheable_getCache')
    def ZCacheable_getCache(self):
        '''Gets the cache associated with this object.
        '''
@@ -143,7 +136,7 @@ class Cacheable:
        self._v_ZCacheable_manager_timestamp = manager_timestamp
        return c
-    ZCacheable_isCachingEnabled__roles__ = ()
+    security.declarePrivate('ZCacheable_isCachingEnabled')
    def ZCacheable_isCachingEnabled(self):
        '''
        Returns true only if associated with a cache manager and
@@ -158,7 +151,7 @@ class Cacheable:
        m = _isBeingUsedAsAMethod(self)
        return m
-    ZCacheable_getObAndView__roles__ = ()
+    security.declarePrivate('ZCacheable_getObAndView')
    def ZCacheable_getObAndView(self, view_name):
        """
        If this object is a method of a ZClass and we're working
@@ -178,7 +171,7 @@ class Cacheable:
                ob = self
        return ob, view_name
-    ZCacheable_get__roles__ = ()
+    security.declarePrivate('ZCacheable_get')
    def ZCacheable_get(self, view_name='', keywords=None,
                       mtime_func=None, default=None):
        '''Retrieves the cached view for the object under the
@@ -198,7 +191,7 @@ class Cacheable:
                return default
        return default
-    ZCacheable_set__roles__ = ()
+    security.declarePrivate('ZCacheable_set')
    def ZCacheable_set(self, data, view_name='', keywords=None,
                       mtime_func=None):
        '''Cacheable views should call this method after generating
@@ -214,6 +207,8 @@ class Cacheable:
                LOG('Cache', WARNING, 'ZCache_set() exception',
                    error=sys.exc_info())
+    security.declareProtected(ViewManagementScreensPermission,
+                              'ZCacheable_invalidate')
    def ZCacheable_invalidate(self, view_name='', REQUEST=None):
        '''Called after a cacheable object is edited. Causes all
        cache entries that apply to the view_name to be removed.
@@ -243,7 +238,7 @@ class Cacheable:
        else:
            return message
-    ZCacheable_getModTime__roles__=()
+    security.declarePrivate('ZCacheable_getModTime')
    def ZCacheable_getModTime(self, mtime_func=None):
        '''Returns the highest of the last mod times.'''
        # Based on:
@@ -271,6 +266,8 @@ class Cacheable:
                mtime = max(getattr(klass, '_p_mtime', mtime), mtime)
        return mtime
+    security.declareProtected(ViewManagementScreensPermission,
+                              'ZCacheable_getManagerId')
    def ZCacheable_getManagerId(self):
        '''Returns the id of the current ZCacheManager.'''
        return self.__manager_id
@@ -282,6 +279,8 @@ class Cacheable:
            return manager.absolute_url()
        return None
+    security.declareProtected(ViewManagementScreensPermission,
+                              'ZCacheable_getManagerIds')
    def ZCacheable_getManagerIds(self):
        '''Returns a list of mappings containing the id and title
        of the available ZCacheManagers.'''
@@ -303,6 +302,8 @@ class Cacheable:
            ob = aq_parent(aq_inner(ob))
        return tuple(rval)
+    security.declareProtected(ChangeCacheSettingsPermission,
+                              'ZCacheable_setManagerId')
    def ZCacheable_setManagerId(self, manager_id, REQUEST=None):
        '''Changes the manager_id for this object.'''
        self.ZCacheable_invalidate()
@@ -319,11 +320,15 @@ class Cacheable:
                self, REQUEST, management_view='Cache',
                manage_tabs_message='Cache settings changed.')
+    security.declareProtected(ViewManagementScreensPermission,
+                              'ZCacheable_enabled')
    def ZCacheable_enabled(self):
        '''Returns true if caching is enabled for this object
        or method.'''
        return self.__enabled
+    security.declareProtected(ChangeCacheSettingsPermission,
+                              'ZCacheable_setEnabled')
    def ZCacheable_setEnabled(self, enabled=0, REQUEST=None):
        '''Changes the enabled flag. Normally used only when
        setting up cacheable ZClass methods.'''
@@ -333,6 +338,8 @@ class Cacheable:
                self, REQUEST, management_view='Cache',
                manage_tabs_message='Cache settings changed.')
+    security.declareProtected(ViewManagementScreensPermission,
+                              'ZCacheable_configHTML')
    def ZCacheable_configHTML(self):
        '''Override to provide configuration of caching
        behavior that can only be specific to the cacheable object.
@@ -340,7 +347,7 @@ class Cacheable:
        return ''
-Globals.default__class_init__(Cacheable)
+InitializeClass(Cacheable)
 def findCacheables(ob, manager_id, require_assoc, subfolders,
@@ -432,19 +439,15 @@ class CacheManager:
    A base class for cache managers.  Implement ZCacheManager_getCache().
    '''
-    ZCacheManager_getCache__roles__ = ()
+    security = ClassSecurityInfo()
+    security.setPermissionDefault(ChangeCacheSettingsPermission, ('Manager',))
+    security.declarePrivate('ZCacheManager_getCache')
    def ZCacheManager_getCache(self):
        raise NotImplementedError
    _isCacheManager = 1
-    __ac_permissions__ = (
-        ('Change cache settings', ('ZCacheManager_locate',
-                                   'ZCacheManager_setAssociations',
-                                   'ZCacheManager_associate'),
-         ('Manager',)),
-        )
    manage_options = (
        {'label':'Associate',
         'action':'ZCacheManager_associate',
@@ -473,8 +476,12 @@ class CacheManager:
                global manager_timestamp
                manager_timestamp = time.time()
+    security.declareProtected(ChangeCacheSettingsPermission,
+                              'ZCacheManager_associate')
    ZCacheManager_associate = DTMLFile('dtml/cmassoc', globals())
+    security.declareProtected(ChangeCacheSettingsPermission,
+                              'ZCacheManager_locate')
    def ZCacheManager_locate(self, require_assoc, subfolders,
                             meta_types=[], REQUEST=None):
        '''Locates cacheable objects.
@@ -494,6 +501,8 @@ class CacheManager:
        else:
            return rval
+    security.declareProtected(ChangeCacheSettingsPermission,
+                              'ZCacheManager_setAssociations')
    def ZCacheManager_setAssociations(self, props=None, REQUEST=None):
        '''Associates and un-associates cacheable objects with this
        cache manager.
@@ -530,4 +539,4 @@ class CacheManager:
                (addcount, remcount)
                )
-Globals.default__class_init__(CacheManager)
+InitializeClass(CacheManager)
--- a/lib/python/OFS/CopySupport.py
+++ b/lib/python/OFS/CopySupport.py
@@ -23,8 +23,12 @@ from zlib import compress, decompress
 import Globals, Moniker, ExtensionClass
 import transaction
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 from AccessControl import getSecurityManager
-from AccessControl.Permissions import delete_objects as DeleteObjects
+from AccessControl.Permissions import view_management_screens
+from AccessControl.Permissions import copy_or_move
+from AccessControl.Permissions import delete_objects
 from Acquisition import aq_base, aq_inner, aq_parent
 from App.Dialogs import MessageDialog
 from webdav.Lockable import ResourceLockedError
@@ -54,13 +58,7 @@ class CopyContainer(ExtensionClass.Base):
    implements(ICopyContainer)
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('View management screens',
-         ('manage_copyObjects', 'manage_pasteObjects',
-          'manage_renameForm', 'manage_renameObject', 'manage_renameObjects',)),
-        ('Delete objects',
-         ('manage_cutObjects',)),
-        )
    # The following three methods should be overridden to store sub-objects
    # as non-attributes.
@@ -83,6 +81,7 @@ class CopyContainer(ExtensionClass.Base):
    def manage_CopyContainerAllItems(self, REQUEST):
        return map(lambda i, s=self: s._getOb(i), tuple(REQUEST['ids']))
+    security.declareProtected(delete_objects, 'manage_cutObjects')
    def manage_cutObjects(self, ids=None, REQUEST=None):
        """Put a reference to the objects named in ids in the clip board"""
        if ids is None and REQUEST is not None:
@@ -112,6 +111,7 @@ class CopyContainer(ExtensionClass.Base):
            return self.manage_main(self, REQUEST)
        return cp
+    security.declareProtected(view_management_screens, 'manage_copyObjects')
    def manage_copyObjects(self, ids=None, REQUEST=None, RESPONSE=None):
        """Put a reference to the objects named in ids in the clip board"""
        if ids is None and REQUEST is not None:
@@ -154,6 +154,7 @@ class CopyContainer(ExtensionClass.Base):
            id='copy%s_of_%s' % (n and n+1 or '', orig_id)
            n=n+1
+    security.declareProtected(view_management_screens, 'manage_pasteObjects')
    def manage_pasteObjects(self, cb_copy_data=None, REQUEST=None):
        """Paste previously copied objects into the current object.
@@ -287,8 +288,10 @@ class CopyContainer(ExtensionClass.Base):
        return result
+    security.declareProtected(view_management_screens, 'manage_renameForm')
    manage_renameForm=Globals.DTMLFile('dtml/renameForm', globals())
+    security.declareProtected(view_management_screens, 'manage_renameObjects')
    def manage_renameObjects(self, ids=[], new_ids=[], REQUEST=None):
        """Rename several sub-objects"""
        if len(ids) != len(new_ids):
@@ -300,6 +303,7 @@ class CopyContainer(ExtensionClass.Base):
            return self.manage_main(self, REQUEST, update_menu=1)
        return None
+    security.declareProtected(view_management_screens, 'manage_renameObject')
    def manage_renameObject(self, id, new_id, REQUEST=None):
        """Rename a particular sub-object.
        """
@@ -353,7 +357,8 @@ class CopyContainer(ExtensionClass.Base):
    # supposed to be public since it does its own auth ?
    #
    # Because it's still a "management" function.
-    manage_clone__roles__=None
+    security.declarePublic('manage_clone')
    def manage_clone(self, ob, id, REQUEST=None):
        """Clone an object, creating a new object with the given id.
        """
@@ -497,7 +502,7 @@ class CopyContainer(ExtensionClass.Base):
                    raise Unauthorized, absattr(object.id)
                if validate_src == 2: # moving
-                    if not sm.checkPermission(DeleteObjects, parent):
+                    if not sm.checkPermission(delete_objects, parent):
                        raise Unauthorized, 'Delete not allowed.'
        else: # /if method_name
@@ -507,7 +512,7 @@ class CopyContainer(ExtensionClass.Base):
                             'operation.' % escape(absattr(object.id))),
                  action  = 'manage_main')
-Globals.default__class_init__(CopyContainer)
+InitializeClass(CopyContainer)
 class CopySource(ExtensionClass.Base):
@@ -518,9 +523,8 @@ class CopySource(ExtensionClass.Base):
    # declare a dummy permission for Copy or Move here that we check
    # in cb_isCopyable.
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('Copy or Move', (), ('Anonymous', 'Manager',)),
+    security.setPermissionDefault(copy_or_move, ('Anonymous', 'Manager'))
-        )
    def _canCopy(self, op=0):
        """Called to make sure this object is copyable.
@@ -593,10 +597,10 @@ class CopySource(ExtensionClass.Base):
        return 1
    def cb_userHasCopyOrMovePermission(self):
-        if getSecurityManager().checkPermission('Copy or Move', self):
+        if getSecurityManager().checkPermission(copy_or_move, self):
            return 1
-Globals.default__class_init__(CopySource)
+InitializeClass(CopySource)
 def sanity_check(c, ob):

--- a/lib/python/OFS/DTMLDocument.py
+++ b/lib/python/OFS/DTMLDocument.py
@@ -14,6 +14,7 @@
 $Id$
 """
+from Globals import InitializeClass
 from ZPublisher.Converters import type_converters
 from Globals import HTML, DTMLFile, MessageDialog
 from OFS.content_types import guess_content_type
@@ -24,8 +25,9 @@ from webdav.Lockable import ResourceLockedError
 from webdav.WriteLockInterface import WriteLockInterface
 from sgmllib import SGMLParser
 from urllib import quote
-import Globals
 from AccessControl import getSecurityManager
+from AccessControl.Permissions import change_dtml_methods
+from AccessControl.Permissions import change_dtml_documents
 from zExceptions.TracebackSupplement import PathTracebackSupplement
 done='done'
@@ -45,11 +47,13 @@ class DTMLDocument(PropertyManager, DTMLMethod):
        PropertyManager.manage_options +
        DTMLMethod.manage_options[2:]
        )
-    ps = DTMLMethod.__ac_permissions__
+    # Replace change_dtml_methods by change_dtml_documents
-    __ac_permissions__=(
+    __ac_permissions__ = tuple([
-        ps[0], ('Change DTML Documents', ps[1][1]), ps[2], ps[3], ps[4])
+        (perms[0] == change_dtml_methods)
-    del ps
+            and (change_dtml_documents, perms[1])
+            or perms
+        for perms in DTMLMethod.__ac_permissions__])
    def manage_edit(self,data,title,SUBMIT='Change',dtpref_cols='100%',
                    dtpref_rows='20',REQUEST=None):
@@ -146,7 +150,7 @@ class DTMLDocument(PropertyManager, DTMLMethod):
        return result
-Globals.default__class_init__(DTMLDocument)
+InitializeClass(DTMLDocument)
 default_dd_html="""<dtml-var standard_html_header>

--- a/lib/python/OFS/DTMLMethod.py
+++ b/lib/python/OFS/DTMLMethod.py
@@ -16,9 +16,11 @@ $Id$
 """
 import History
 from Globals import HTML, DTMLFile, MessageDialog
+from Globals import InitializeClass
 from SimpleItem import Item_w__name__, pretty_tb
 from OFS.content_types import guess_content_type
 from PropertyManager import PropertyManager
+from AccessControl import ClassSecurityInfo
 from AccessControl.Role import RoleManager
 from webdav.common import rfc1123_date
 from webdav.Lockable import ResourceLockedError
@@ -28,6 +30,11 @@ from DateTime.DateTime import DateTime
 from urllib import quote
 import  Globals, sys, Acquisition
 from AccessControl import getSecurityManager
+from AccessControl.Permissions import change_dtml_methods
+from AccessControl.Permissions import view_management_screens
+from AccessControl.Permissions import change_proxy_roles
+from AccessControl.Permissions import view as View
+from AccessControl.Permissions import ftp_access
 from AccessControl.DTML import RestrictedDTML
 from Cache import Cacheable
 from zExceptions import Forbidden
@@ -50,6 +57,9 @@ class DTMLMethod(RestrictedDTML, HTML, Acquisition.Implicit, RoleManager,
    __implements__ = (WriteLockInterface,)
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(View)
    # Documents masquerade as functions:
    class func_code: pass
    func_code=func_code()
@@ -74,28 +84,17 @@ class DTMLMethod(RestrictedDTML, HTML, Acquisition.Implicit, RoleManager,
        +Cacheable.manage_options
        )
-    # Careful in changes--used by DTMLDocument!
+    # Careful in permissiong changes--used by DTMLDocument!
-    __ac_permissions__=(
-    ('View management screens',
+    security.declareProtected(change_dtml_methods, 'manage_historyCopy')
-     ('document_src', 'PrincipiaSearchSource')),
+    security.declareProtected(change_dtml_methods, 'manage_beforeHistoryCopy')
-    ('Change DTML Methods',
+    security.declareProtected(change_dtml_methods, 'manage_afterHistoryCopy')
-     ('manage_editForm', 'manage', 'manage_main',
-      'manage_edit', 'manage_upload', 'PUT',
-      'manage_historyCopy',
-      'manage_beforeHistoryCopy', 'manage_afterHistoryCopy',
-      'ZCacheable_configHTML', 'getCacheNamespaceKeys',
-      'setCacheNamespaceKeys',
-      )
-     ),
-    ('Change proxy roles', ('manage_proxyForm', 'manage_proxy')),
-    ('View', ('__call__', 'get_size', '')),
-    ('FTP access', ('manage_FTPstat','manage_FTPget','manage_FTPlist')),
-    )
    # support a more reasonable default for content-type
    # for http HEAD requests.
    default_content_type='text/html'
+    security.declareProtected(View, '__call__')
    def __call__(self, client=None, REQUEST={}, RESPONSE=None, **kw):
        """Render the document given a client object, REQUEST mapping,
        Response, and key word arguments."""
@@ -190,14 +189,17 @@ class DTMLMethod(RestrictedDTML, HTML, Acquisition.Implicit, RoleManager,
                kw[key] = val
            self.ZCacheable_set(result, keywords=kw)
+    security.declareProtected(change_dtml_methods, 'ZCacheable_configHTML')
    ZCacheable_configHTML = DTMLFile('dtml/cacheNamespaceKeys', globals())
+    security.declareProtected(change_dtml_methods, 'getCacheNamespaceKeys')
    def getCacheNamespaceKeys(self):
        '''
        Returns the cacheNamespaceKeys.
        '''
        return self._cache_namespace_keys
+    security.declareProtected(change_dtml_methods, 'setCacheNamespaceKeys')
    def setCacheNamespaceKeys(self, keys, REQUEST=None):
        '''
        Sets the list of names that should be looked up in the
@@ -212,19 +214,26 @@ class DTMLMethod(RestrictedDTML, HTML, Acquisition.Implicit, RoleManager,
        if REQUEST is not None:
            return self.ZCacheable_manage(self, REQUEST)
+    security.declareProtected(View, 'get_size')
    def get_size(self):
        return len(self.raw)
    # deprecated; use get_size!
    getSize=get_size
+    security.declareProtected(change_dtml_methods, 'manage')
+    security.declareProtected(change_dtml_methods, 'manage_editForm')
    manage_editForm=DTMLFile('dtml/documentEdit', globals())
    manage_editForm._setName('manage_editForm')
    # deprecated!
    manage_uploadForm=manage_editForm
+    security.declareProtected(change_dtml_methods, 'manage_main')
    manage=manage_main=manage_editDocument=manage_editForm
+    security.declareProtected(change_proxy_roles, 'manage_proxyForm')
    manage_proxyForm=DTMLFile('dtml/documentProxy', globals())
    _size_changes={
@@ -252,6 +261,7 @@ class DTMLMethod(RestrictedDTML, HTML, Acquisition.Implicit, RoleManager,
        return self.manage_main(self, REQUEST, title=title,
                                __str__=self.quotedHTML(data))
+    security.declareProtected(change_dtml_methods, 'manage_edit')
    def manage_edit(self,data,title,SUBMIT='Change',dtpref_cols='100%',
                    dtpref_rows='20',REQUEST=None):
        """
@@ -277,6 +287,7 @@ class DTMLMethod(RestrictedDTML, HTML, Acquisition.Implicit, RoleManager,
            message="Saved changes."
            return self.manage_main(self,REQUEST,manage_tabs_message=message)
+    security.declareProtected(change_dtml_methods, 'manage_upload')
    def manage_upload(self,file='', REQUEST=None):
        """Replace the contents of the document with the text in file."""
        self._validateProxy(REQUEST)
@@ -315,6 +326,7 @@ class DTMLMethod(RestrictedDTML, HTML, Acquisition.Implicit, RoleManager,
            'do not have proxy roles.\n<!--%s, %s-->' % (self.__name__, u, roles))
+    security.declareProtected(change_proxy_roles, 'manage_proxy')
    def manage_proxy(self, roles=(), REQUEST=None):
        "Change Proxy Roles"
        self._validateProxy(REQUEST, roles)
@@ -325,10 +337,12 @@ class DTMLMethod(RestrictedDTML, HTML, Acquisition.Implicit, RoleManager,
            message="Saved changes."
            return self.manage_proxyForm(self,REQUEST,manage_tabs_message=message)
+    security.declareProtected(view_management_screens, 'PrincipiaSearchSource')
    def PrincipiaSearchSource(self):
        "Support for searching - the document's contents are searched."
        return self.read()
+    security.declareProtected(view_management_screens, 'document_src')
    def document_src(self, REQUEST=None, RESPONSE=None):
        """Return unprocessed document source."""
        if RESPONSE is not None:
@@ -337,6 +351,7 @@ class DTMLMethod(RestrictedDTML, HTML, Acquisition.Implicit, RoleManager,
    ## Protocol handlers
+    security.declareProtected(change_dtml_methods, 'PUT')
    def PUT(self, REQUEST, RESPONSE):
        """Handle HTTP PUT requests."""
        self.dav__init(REQUEST, RESPONSE)
@@ -348,6 +363,10 @@ class DTMLMethod(RestrictedDTML, HTML, Acquisition.Implicit, RoleManager,
        RESPONSE.setStatus(204)
        return RESPONSE
+    security.declareProtected(ftp_access, 'manage_FTPstat')
+    security.declareProtected(ftp_access, 'manage_FTPlist')
+    security.declareProtected(ftp_access, 'manage_FTPget')
    def manage_FTPget(self):
        "Get source for FTP download"
        return self.read()
@@ -361,6 +380,8 @@ class DTMLMethod(RestrictedDTML, HTML, Acquisition.Implicit, RoleManager,
                rev1.read(), rev2.read()
                ))
+InitializeClass(DTMLMethod)
 import re
 token = "[a-zA-Z0-9!#$%&'*+\-.\\\\^_`|~]+"
 hdr_start = re.compile(r'(%s):(.*)' % token).match

--- a/lib/python/OFS/FindSupport.py
+++ b/lib/python/OFS/FindSupport.py
@@ -17,14 +17,16 @@ $Id$
 from string import translate
-import Globals, ExtensionClass
+import ExtensionClass
 from AccessControl import ClassSecurityInfo
 from AccessControl.DTML import RestrictedDTML
 from AccessControl.Permission import name_trans
+from AccessControl.Permissions import view_management_screens
 from DateTime import DateTime
 from DocumentTemplate.DT_Util import Eval
 from DocumentTemplate.DT_Util import InstanceDict, TemplateDict
 from Globals import DTMLFile
+from Globals import InitializeClass
 from zope.interface import implements
 from interfaces import IFindSupport
@@ -36,31 +38,32 @@ class FindSupport(ExtensionClass.Base):
    implements(IFindSupport)
-#findframe is deprecated
+    security = ClassSecurityInfo()
+    #findframe is deprecated
+    security.declareProtected(view_management_screens, 'manage_findFrame')
    manage_findFrame=DTMLFile('dtml/findFrame', globals())
+    security.declareProtected(view_management_screens, 'manage_findForm')
    manage_findForm=DTMLFile('dtml/findForm', globals(),
                             management_view='Find')
+    security.declareProtected(view_management_screens, 'manage_findAdv')
    manage_findAdv=DTMLFile('dtml/findAdv', globals(),
                            management_view='Find',
                            help_topic='Find_Advanced.stx',
                            help_product='OFSP')
+    security.declareProtected(view_management_screens, 'manage_findResult')
    manage_findResult=DTMLFile('dtml/findResult', globals(),
                               management_view='Find')
-    __ac_permissions__=(
-        ('View management screens',
-         ('manage_findFrame', 'manage_findForm', 'manage_findAdv',
-          'manage_findResult')),
-        )
    manage_options=(
        {'label':'Find', 'action':'manage_findForm',
         'help':('OFSP','Find.stx')},
        )
-    security = ClassSecurityInfo()
+    security.declareProtected(view_management_screens, 'ZopeFind')
-    security.declareProtected('View management screens', 'ZopeFind')
    def ZopeFind(self, obj, obj_ids=None, obj_metatypes=None,
                 obj_searchterm=None, obj_expr=None,
                 obj_mtime=None, obj_mspec=None,
@@ -164,10 +167,10 @@ class FindSupport(ExtensionClass.Base):
-    security.declareProtected('View management screens', 'PrincipiaFind')
+    security.declareProtected(view_management_screens, 'PrincipiaFind')
    PrincipiaFind=ZopeFind
-    security.declareProtected('View management screens', 'ZopeFindAndApply')
+    security.declareProtected(view_management_screens, 'ZopeFindAndApply')
    def ZopeFindAndApply(self, obj, obj_ids=None, obj_metatypes=None,
                         obj_searchterm=None, obj_expr=None,
                         obj_mtime=None, obj_mspec=None,
@@ -259,7 +262,7 @@ class FindSupport(ExtensionClass.Base):
        return result
-Globals.InitializeClass(FindSupport)
+InitializeClass(FindSupport)
 class td(RestrictedDTML, TemplateDict):

--- a/lib/python/OFS/Folder.py
+++ b/lib/python/OFS/Folder.py
@@ -18,7 +18,7 @@ $Id$
 """
 import AccessControl.Role, webdav.Collection
-import Globals
+from Globals import InitializeClass
 from AccessControl import getSecurityManager
 from AccessControl import Unauthorized
 from AccessControl.Permissions import add_page_templates
@@ -108,4 +108,4 @@ class Folder(
        if id is not None:
            self.id = str(id)
-Globals.default__class_init__(Folder)
+InitializeClass(Folder)
--- a/lib/python/OFS/History.py
+++ b/lib/python/OFS/History.py
@@ -15,11 +15,14 @@
 $Id$
 """
 import Globals, ExtensionClass, difflib
+from Globals import InitializeClass
 from DateTime import DateTime
 from Acquisition import Implicit, aq_base
 from struct import pack, unpack
 from cgi import escape
 from zExceptions import Redirect
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import view_history
 class TemporalParadox(Exception): pass
@@ -84,26 +87,22 @@ class Historical(ExtensionClass.Base):
    they don't have persistent sub-objects.
    """
-    HistoricalRevisions=Historian()
+    security = ClassSecurityInfo()
-    __ac_permissions__=(
+    HistoricalRevisions=Historian()
-        ('View History',
-         ('manage_change_history_page','manage_change_history',
-          'manage_historyCompare', 'manage_historicalComparison',
-          )
-         ),
-        )
    manage_options=({'label':'History', 'action':'manage_change_history_page',
                     'help':('OFSP','History.stx')
                     },
                   )
+    security.declareProtected(view_history, 'manage_change_history_page')
    manage_change_history_page=Globals.DTMLFile(
        'dtml/history', globals(),
        HistoryBatchSize=20,
        first_transaction=0, last_transaction=20)
+    security.declareProtected(view_history, 'manage_change_history')
    def manage_change_history(self):
        first=0
        last=20
@@ -161,6 +160,7 @@ class Historical(ExtensionClass.Base):
    _manage_historyComparePage=Globals.DTMLFile(
        'dtml/historyCompare', globals(), management_view='History')
+    security.declareProtected(view_history, 'manage_historyCompare')
    def manage_historyCompare(self, rev1, rev2, REQUEST,
                              historyComparisonResults=''):
        dt1=DateTime(rev1._p_mtime)
@@ -170,6 +170,7 @@ class Historical(ExtensionClass.Base):
            dt1=dt1, dt2=dt2,
            historyComparisonResults=historyComparisonResults)
+    security.declareProtected(view_history, 'manage_historicalComparison')
    def manage_historicalComparison(self, REQUEST, keys=[]):
        "Compare two selected revisions"
        if not keys:
@@ -192,7 +193,8 @@ class Historical(ExtensionClass.Base):
        return self.manage_historyCompare(rev1, rev2, REQUEST)
-Globals.default__class_init__(Historical)
+InitializeClass(Historical)
 def dump(tag, x, lo, hi, r):
    r1=[]

--- a/lib/python/OFS/Image.py
+++ b/lib/python/OFS/Image.py
@@ -14,11 +14,18 @@
 $Id$
 """
-import Globals, struct
+import struct
 from OFS.content_types import guess_content_type
 from Globals import DTMLFile
+from Globals import InitializeClass
 from PropertyManager import PropertyManager
+from AccessControl import ClassSecurityInfo
 from AccessControl.Role import RoleManager
+from AccessControl.Permissions import change_images_and_files
+from AccessControl.Permissions import view_management_screens
+from AccessControl.Permissions import view as View
+from AccessControl.Permissions import ftp_access
+from AccessControl.Permissions import delete_objects
 from webdav.common import rfc1123_date
 from webdav.Lockable import ResourceLockedError
 from webdav.WriteLockInterface import WriteLockInterface
@@ -74,6 +81,8 @@ class File(Persistent, Implicit, PropertyManager,
    __implements__ = (WriteLockInterface, HTTPRangeSupport.HTTPRangeInterface)
    meta_type='File'
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(View)
    precondition=''
    size=None
@@ -82,6 +91,9 @@ class File(Persistent, Implicit, PropertyManager,
    manage_editForm  =DTMLFile('dtml/fileEdit',globals(),
                               Kind='File',kind='file')
    manage_editForm._setName('manage_editForm')
+    security.declareProtected(view_management_screens, 'manage')
+    security.declareProtected(view_management_screens, 'manage_main')
    manage=manage_main=manage_editForm
    manage_uploadForm=manage_editForm
@@ -98,22 +110,6 @@ class File(Persistent, Implicit, PropertyManager,
        + Cacheable.manage_options
        )
-    __ac_permissions__=(
-        ('View management screens',
-         ('manage', 'manage_main',)),
-        ('Change Images and Files',
-         ('manage_edit','manage_upload','PUT')),
-        ('View',
-         ('index_html', 'view_image_or_file', 'get_size',
-          'getContentType', 'PrincipiaSearchSource', '')),
-        ('FTP access',
-         ('manage_FTPstat','manage_FTPget','manage_FTPlist')),
-        ('Delete objects',
-         ('DELETE',)),
-        )
    _properties=({'id':'title', 'type': 'string'},
                 {'id':'alt', 'type':'string'},
                 {'id':'content_type', 'type':'string'},
@@ -355,6 +351,7 @@ class File(Persistent, Implicit, PropertyManager,
                    RESPONSE.write('\r\n--%s--\r\n' % boundary)
                    return True
+    security.declareProtected(View, 'index_html')
    def index_html(self, REQUEST, RESPONSE):
        """
        The default view of the contents of a File or Image.
@@ -414,12 +411,14 @@ class File(Persistent, Implicit, PropertyManager,
        return ''
+    security.declareProtected(View, 'view_image_or_file')
    def view_image_or_file(self, URL1):
        """
        The default view of the contents of the File or Image.
        """
        raise Redirect, URL1
+    security.declareProtected(View, 'PrincipiaSearchSource')
    def PrincipiaSearchSource(self):
        """ Allow file objects to be searched.
        """
@@ -427,8 +426,7 @@ class File(Persistent, Implicit, PropertyManager,
            return str(self.data)
        return ''
-    # private
+    security.declarePrivate('update_data')
-    update_data__roles__=()
    def update_data(self, data, content_type=None, size=None):
        if content_type is not None: self.content_type=content_type
        if size is None: size=len(data)
@@ -438,6 +436,7 @@ class File(Persistent, Implicit, PropertyManager,
        self.ZCacheable_set(None)
        self.http__refreshEtag()
+    security.declareProtected(change_images_and_files, 'manage_edit')
    def manage_edit(self, title, content_type, precondition='',
                    filedata=None, REQUEST=None):
        """
@@ -458,6 +457,7 @@ class File(Persistent, Implicit, PropertyManager,
            message="Saved changes."
            return self.manage_main(self,REQUEST,manage_tabs_message=message)
+    security.declareProtected(change_images_and_files, 'manage_upload')
    def manage_upload(self,file='',REQUEST=None):
        """
        Replaces the current contents of the File or Image object with file.
@@ -553,6 +553,9 @@ class File(Persistent, Implicit, PropertyManager,
        return next, size
+    security.declareProtected(delete_objects, 'DELETE')
+    security.declareProtected(change_images_and_files, 'PUT')
    def PUT(self, REQUEST, RESPONSE):
        """Handle HTTP PUT requests"""
        self.dav__init(REQUEST, RESPONSE)
@@ -569,6 +572,7 @@ class File(Persistent, Implicit, PropertyManager,
        RESPONSE.setStatus(204)
        return RESPONSE
+    security.declareProtected(View, 'get_size')
    def get_size(self):
        """Get the size of a file or image.
@@ -581,6 +585,7 @@ class File(Persistent, Implicit, PropertyManager,
    # deprecated; use get_size!
    getSize=get_size
+    security.declareProtected(View, 'getContentType')
    def getContentType(self):
        """Get the content type of a file or image.
@@ -592,6 +597,10 @@ class File(Persistent, Implicit, PropertyManager,
    def __str__(self): return str(self.data)
    def __len__(self): return 1
+    security.declareProtected(ftp_access, 'manage_FTPstat')
+    security.declareProtected(ftp_access, 'manage_FTPlist')
+    security.declareProtected(ftp_access, 'manage_FTPget')
    def manage_FTPget(self):
        """Return body for ftp."""
        RESPONSE = self.REQUEST.RESPONSE
@@ -719,23 +728,23 @@ class Image(File):
    __implements__ = (WriteLockInterface,)
    meta_type='Image'
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(View)
    height=''
    width=''
-    __ac_permissions__=(
+    # FIXME: Redundant, already in base class
-        ('View management screens',
+    security.declareProtected(change_images_and_files, 'manage_edit')
-         ('manage', 'manage_main',)),
+    security.declareProtected(change_images_and_files, 'manage_upload')
-        ('Change Images and Files',
+    security.declareProtected(change_images_and_files, 'PUT')
-         ('manage_edit','manage_upload','PUT')),
+    security.declareProtected(View, 'index_html')
-        ('View',
+    security.declareProtected(View, 'get_size')
-         ('index_html', 'tag', 'view_image_or_file', 'get_size',
+    security.declareProtected(View, 'getContentType')
-          'getContentType', '')),
+    security.declareProtected(ftp_access, 'manage_FTPstat')
-        ('FTP access',
+    security.declareProtected(ftp_access, 'manage_FTPlist')
-         ('manage_FTPstat','manage_FTPget','manage_FTPlist')),
+    security.declareProtected(ftp_access, 'manage_FTPget')
-        ('Delete objects',
+    security.declareProtected(delete_objects, 'DELETE')
-         ('DELETE',)),
-        )
    _properties=({'id':'title', 'type': 'string'},
                 {'id':'content_type', 'type':'string','mode':'w'},
@@ -756,13 +765,17 @@ class Image(File):
    manage_editForm  =DTMLFile('dtml/imageEdit',globals(),
                               Kind='Image',kind='image')
-    view_image_or_file =DTMLFile('dtml/imageView',globals())
    manage_editForm._setName('manage_editForm')
+    security.declareProtected(View, 'view_image_or_file')
+    view_image_or_file =DTMLFile('dtml/imageView',globals())
+    security.declareProtected(view_management_screens, 'manage')
+    security.declareProtected(view_management_screens, 'manage_main')
    manage=manage_main=manage_editForm
    manage_uploadForm=manage_editForm
-    # private
+    security.declarePrivate('update_data')
-    update_data__roles__=()
    def update_data(self, data, content_type=None, size=None):
        if size is None: size=len(data)
@@ -785,6 +798,7 @@ class Image(File):
    def __str__(self):
        return self.tag()
+    security.declareProtected(View, 'tag')
    def tag(self, height=None, width=None, alt=None,
            scale=0, xscale=0, yscale=0, css_class=None, title=None, **args):
        """

--- a/lib/python/OFS/ObjectManager.py
+++ b/lib/python/OFS/ObjectManager.py
@@ -24,13 +24,20 @@ from types import StringType, UnicodeType
 import App.Common
 import App.FactoryDispatcher, Products
-import App.Management, Acquisition, Globals, Products
+import App.Management, Acquisition
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import view_management_screens
+from AccessControl.Permissions import access_contents_information
+from AccessControl.Permissions import delete_objects
+from AccessControl.Permissions import ftp_access
+from AccessControl.Permissions import import_export_objects
 from AccessControl import getSecurityManager
 from AccessControl.ZopeSecurityPolicy import getRoles
 from Acquisition import aq_base
 from App.config import getConfiguration
+from Globals import InitializeClass
 from Globals import DTMLFile, Persistent
-from Globals import MessageDialog, default__class_init__
+from Globals import MessageDialog
 from Globals import REPLACEABLE, NOT_REPLACEABLE, UNIQUE
 from webdav.Collection import Collection
 from webdav.Lockable import ResourceLockedError
@@ -133,20 +140,10 @@ class ObjectManager(
    implements(IObjectManager)
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('View management screens', ('manage_main',)),
+    security.declareObjectProtected(access_contents_information)
-        ('Access contents information',
+    security.setPermissionDefault(access_contents_information,
-         ('objectIds', 'objectValues', 'objectItems',''),
+                                  ('Anonymous', 'Manager'))
-         ('Anonymous', 'Manager'),
-         ),
-        ('Delete objects',     ('manage_delObjects',)),
-        ('FTP access',         ('manage_FTPstat','manage_FTPlist')),
-        ('Import/Export objects',
-         ('manage_importObject','manage_importExportForm',
-          'manage_exportObject')
-         ),
-    )
    meta_type = 'Object Manager'
@@ -154,7 +151,9 @@ class ObjectManager(
    _objects = ()
+    security.declareProtected(view_management_screens, 'manage_main')
    manage_main=DTMLFile('dtml/main', globals())
    manage_index_main=DTMLFile('dtml/index_main', globals())
    manage_options=(
@@ -177,7 +176,7 @@ class ObjectManager(
        mt.sort()
        self.meta_types=tuple(mt)
-        default__class_init__(self)
+        InitializeClass(self) # default__class_init__
    def all_meta_types(self, interfaces=None):
        # A list of products registered elsewhere
@@ -362,6 +361,7 @@ class ObjectManager(
        if not suppress_events:
            notify(ObjectRemovedEvent(ob, self, id))
+    security.declareProtected(access_contents_information, 'objectIds')
    def objectIds(self, spec=None):
        # Returns a list of subobject ids of the current object.
        # If 'spec' is specified, returns objects whose meta_type
@@ -376,12 +376,14 @@ class ObjectManager(
            return set
        return [ o['id']  for o in self._objects ]
+    security.declareProtected(access_contents_information, 'objectValues')
    def objectValues(self, spec=None):
        # Returns a list of actual subobjects of the current object.
        # If 'spec' is specified, returns only objects whose meta_type
        # match 'spec'.
        return [ self._getOb(id) for id in self.objectIds(spec) ]
+    security.declareProtected(access_contents_information, 'objectItems')
    def objectItems(self, spec=None):
        # Returns a list of (id, subobject) tuples of the current object.
        # If 'spec' is specified, returns only objects whose meta_type match
@@ -456,6 +458,7 @@ class ObjectManager(
    manage_addProduct=App.FactoryDispatcher.ProductDispatcher()
+    security.declareProtected(delete_objects, 'manage_delObjects')
    def manage_delObjects(self, ids=[], REQUEST=None):
        """Delete a subordinate object
@@ -512,6 +515,7 @@ class ObjectManager(
                    r.append(o)
        return r
+    security.declareProtected(import_export_objects, 'manage_exportObject')
    def manage_exportObject(self, id='', download=None, toxml=None,
                            RESPONSE=None,REQUEST=None):
        """Exports an object to a file and returns that file."""
@@ -548,8 +552,10 @@ class ObjectManager(
                title = 'Object exported')
+    security.declareProtected(import_export_objects, 'manage_importExportForm')
    manage_importExportForm=DTMLFile('dtml/importExport',globals())
+    security.declareProtected(import_export_objects, 'manage_importObject')
    def manage_importObject(self, file, REQUEST=None, set_owner=1):
        """Import an object from a file"""
        dirname, file=os.path.split(file)
@@ -608,6 +614,7 @@ class ObjectManager(
    # FTP support methods
+    security.declareProtected(ftp_access, 'manage_FTPlist')
    def manage_FTPlist(self, REQUEST):
        """Directory listing for FTP.
        """
@@ -672,6 +679,7 @@ class ObjectManager(
        if not REQUEST['id'] in self.objectIds():
            raise KeyError(REQUEST['id'])
+    security.declareProtected(ftp_access, 'manage_FTPstat')
    def manage_FTPstat(self,REQUEST):
        """Psuedo stat, used by FTP for directory listings.
        """
@@ -710,6 +718,9 @@ class ObjectManager(
                return NullResource(self, key, request).__of__(self)
        raise KeyError, key
+# Don't InitializeClass, there is a specific __class_init__ on ObjectManager
+# InitializeClass(ObjectManager)
 def findChildren(obj,dirname=''):
    """ recursive walk through the object hierarchy to
@@ -738,5 +749,3 @@ class IFAwareObjectManager:
                except: pass    # Bleah generic pass is bad
        return ObjectManager.all_meta_types(self, interfaces)
-Globals.default__class_init__(ObjectManager)
--- a/lib/python/OFS/PropertyManager.py
+++ b/lib/python/OFS/PropertyManager.py
@@ -18,7 +18,11 @@ $Id$
 from cgi import escape
 from types import ListType
-import ExtensionClass, Globals
+import ExtensionClass
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import access_contents_information
+from AccessControl.Permissions import manage_properties
 from Acquisition import aq_base
 from Globals import DTMLFile, MessageDialog
 from Globals import Persistent
@@ -97,35 +101,26 @@ class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
    implements(IPropertyManager)
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(access_contents_information)
+    security.setPermissionDefault(access_contents_information,
+                                  ('Anonymous', 'Manager'))
    manage_options=(
        {'label':'Properties', 'action':'manage_propertiesForm',
         'help':('OFSP','Properties.stx')},
        )
+    security.declareProtected(manage_properties, 'manage_propertiesForm')
    manage_propertiesForm=DTMLFile('dtml/properties', globals(),
                                   property_extensible_schema__=1)
+    security.declareProtected(manage_properties, 'manage_propertyTypeForm')
    manage_propertyTypeForm=DTMLFile('dtml/propertyType', globals())
    title=''
    _properties=({'id':'title', 'type': 'string', 'mode':'wd'},)
    _reserved_names=()
-    __ac_permissions__=(
-        ('Manage properties', ('manage_addProperty',
-                               'manage_editProperties',
-                               'manage_delProperties',
-                               'manage_changeProperties',
-                               'manage_propertiesForm',
-                               'manage_propertyTypeForm',
-                               'manage_changePropertyTypes',
-                               )),
-        ('Access contents information',
-         ('hasProperty', 'propertyIds', 'propertyValues','propertyItems',
-          'getProperty', 'getPropertyType', 'propertyMap', ''),
-         ('Anonymous', 'Manager'),
-         ),
-        )
    __propsets__=()
    propertysheets=vps(DefaultPropertySheets)
@@ -135,6 +130,7 @@ class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
            return 0
        return 1
+    security.declareProtected(access_contents_information, 'hasProperty')
    def hasProperty(self, id):
        """Return true if object has a property 'id'.
        """
@@ -143,6 +139,7 @@ class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
                return 1
        return 0
+    security.declareProtected(access_contents_information, 'getProperty')
    def getProperty(self, id, d=None):
        """Get the property 'id'.
@@ -153,6 +150,7 @@ class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
            return getattr(self, id)
        return d
+    security.declareProtected(access_contents_information, 'getPropertyType')
    def getPropertyType(self, id):
        """Get the type of property 'id'.
@@ -220,16 +218,19 @@ class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
        self._properties=tuple(filter(lambda i, n=id: i['id'] != n,
                                      self._properties))
+    security.declareProtected(access_contents_information, 'propertyIds')
    def propertyIds(self):
        """Return a list of property ids.
        """
        return map(lambda i: i['id'], self._properties)
+    security.declareProtected(access_contents_information, 'propertyValues')
    def propertyValues(self):
        """Return a list of actual property objects.
        """
        return map(lambda i,s=self: getattr(s,i['id']), self._properties)
+    security.declareProtected(access_contents_information, 'propertyItems')
    def propertyItems(self):
        """Return a list of (id,property) tuples.
        """
@@ -240,6 +241,7 @@ class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
        """
        return self._properties
+    security.declareProtected(access_contents_information, 'propertyMap')
    def propertyMap(self):
        """Return a tuple of mappings, giving meta-data for properties.
@@ -264,6 +266,7 @@ class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
    # Web interface
+    security.declareProtected(manage_properties, 'manage_addProperty')
    def manage_addProperty(self, id, value, type, REQUEST=None):
        """Add a new property via the web.
@@ -275,6 +278,7 @@ class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
        if REQUEST is not None:
            return self.manage_propertiesForm(self, REQUEST)
+    security.declareProtected(manage_properties, 'manage_editProperties')
    def manage_editProperties(self, REQUEST):
        """Edit object properties via the web.
@@ -296,6 +300,7 @@ class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
            return self.manage_propertiesForm(self,REQUEST,
                                              manage_tabs_message=message)
+    security.declareProtected(manage_properties, 'manage_changeProperties')
    def manage_changeProperties(self, REQUEST=None, **kw):
        """Change existing object properties.
@@ -321,6 +326,7 @@ class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
    # Note - this is experimental, pending some community input.
+    security.declareProtected(manage_properties, 'manage_changePropertyTypes')
    def manage_changePropertyTypes(self, old_ids, props, REQUEST=None):
        """Replace one set of properties with another
@@ -340,6 +346,7 @@ class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
            return self.manage_propertiesForm(self, REQUEST)
+    security.declareProtected(manage_properties, 'manage_delProperties')
    def manage_delProperties(self, ids=None, REQUEST=None):
        """Delete one or more properties specified by 'ids'."""
        if REQUEST:
@@ -367,4 +374,4 @@ class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
        if REQUEST is not None:
            return self.manage_propertiesForm(self, REQUEST)
-Globals.default__class_init__(PropertyManager)
+InitializeClass(PropertyManager)
--- a/lib/python/OFS/PropertySheets.py
+++ b/lib/python/OFS/PropertySheets.py
@@ -18,6 +18,7 @@ import time,  App.Management, Globals, sys
 from webdav.interfaces import IWriteLock
 from webdav.WriteLockInterface import WriteLockInterface
 from ZPublisher.Converters import type_converters
+from Globals import InitializeClass
 from Globals import DTMLFile, MessageDialog
 from Acquisition import Implicit, Explicit
 from App.Common import rfc1123_date, iso8601_date
@@ -26,6 +27,10 @@ from ExtensionClass import Base
 from Globals import Persistent
 from Traversable import Traversable
 from Acquisition import aq_base
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import access_contents_information
+from AccessControl.Permissions import manage_properties
+from AccessControl.Permissions import view_management_screens
 from AccessControl import getSecurityManager
 from webdav.common import isDavCollection
 from zExceptions import BadRequest, Redirect
@@ -100,20 +105,10 @@ class PropertySheet(Traversable, Persistent, Implicit):
    _extensible=1
    icon='p_/Properties_icon'
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('Manage properties', ('manage_addProperty',
+    security.declareObjectProtected(access_contents_information)
-                               'manage_editProperties',
+    security.setPermissionDefault(access_contents_information,
-                               'manage_delProperties',
+                                  ('Anonymous', 'Manager'))
-                               'manage_changeProperties',
-                               'manage_propertiesForm',
-                               )),
-        ('Access contents information',
-         ('xml_namespace', 'hasProperty', 'getProperty', 'getPropertyType',
-          'propertyIds', 'propertyValues','propertyItems', 'propertyInfo',
-          'propertyMap', ''),
-         ('Anonymous', 'Manager'),
-         ),
-        )
    __reserved_ids= ('values','items')
@@ -139,6 +134,7 @@ class PropertySheet(Traversable, Persistent, Implicit):
    def getId(self):
        return self.id
+    security.declareProtected(access_contents_information, 'xml_namespace')
    def xml_namespace(self):
        # Return a namespace string usable as an xml namespace
        # for this property set.
@@ -156,6 +152,7 @@ class PropertySheet(Traversable, Persistent, Implicit):
            return 0
        return 1
+    security.declareProtected(access_contents_information, 'hasProperty')
    def hasProperty(self, id):
        # Return a true value if a property exists with the given id.
        for prop in self._propertyMap():
@@ -163,6 +160,7 @@ class PropertySheet(Traversable, Persistent, Implicit):
                return 1
        return 0
+    security.declareProtected(access_contents_information, 'getProperty')
    def getProperty(self, id, default=None):
        # Return the property with the given id, returning the optional
        # second argument or None if no such property is found.
@@ -170,6 +168,7 @@ class PropertySheet(Traversable, Persistent, Implicit):
            return getattr(self.v_self(), id)
        return default
+    security.declareProtected(access_contents_information, 'getPropertyType')
    def getPropertyType(self, id):
        """Get the type of property 'id', returning None if no
           such property exists"""
@@ -263,20 +262,24 @@ class PropertySheet(Traversable, Persistent, Implicit):
        pself._properties=tuple(filter(lambda i, n=id: i['id'] != n,
                                       pself._properties))
+    security.declareProtected(access_contents_information, 'propertyIds')
    def propertyIds(self):
        # Return a list of property ids.
        return map(lambda i: i['id'], self._propertyMap())
+    security.declareProtected(access_contents_information, 'propertyValues')
    def propertyValues(self):
        # Return a list of property values.
        return map(lambda i, s=self: s.getProperty(i['id']),
                   self._propertyMap())
+    security.declareProtected(access_contents_information, 'propertyItems')
    def propertyItems(self):
        # Return a list of (id, property) tuples.
        return map(lambda i, s=self: (i['id'], s.getProperty(i['id'])),
                   self._propertyMap())
+    security.declareProtected(access_contents_information, 'propertyInfo')
    def propertyInfo(self, id):
        # Return a mapping containing property meta-data
        for p in self._propertyMap():
@@ -289,6 +292,7 @@ class PropertySheet(Traversable, Persistent, Implicit):
        # we have to fake it...
        return self.p_self()._properties
+    security.declareProtected(access_contents_information, 'propertyMap')
    def propertyMap(self):
        # Returns a secure copy of the property definitions.
        return tuple(map(lambda dict: dict.copy(), self._propertyMap()))
@@ -399,10 +403,13 @@ class PropertySheet(Traversable, Persistent, Implicit):
    # Web interface
    manage=DTMLFile('dtml/properties', globals())
+    security.declareProtected(manage_properties, 'manage_propertiesForm')
    def manage_propertiesForm(self, URL1):
        " "
        raise Redirect, URL1+'/manage'
+    security.declareProtected(manage_properties, 'manage_addProperty')
    def manage_addProperty(self, id, value, type, REQUEST=None):
        """Add a new property via the web. Sets a new property with
        the given id, type, and value."""
@@ -412,6 +419,7 @@ class PropertySheet(Traversable, Persistent, Implicit):
        if REQUEST is not None:
            return self.manage(self, REQUEST)
+    security.declareProtected(manage_properties, 'manage_editProperties')
    def manage_editProperties(self, REQUEST):
        """Edit object properties via the web."""
        for prop in self._propertyMap():
@@ -424,6 +432,7 @@ class PropertySheet(Traversable, Persistent, Implicit):
               message='Your changes have been saved',
               action ='manage')
+    security.declareProtected(manage_properties, 'manage_changeProperties')
    def manage_changeProperties(self, REQUEST=None, **kw):
        """Change existing object properties by passing either a mapping
           object of name:value pairs {'foo':6} or passing name=value
@@ -446,6 +455,7 @@ class PropertySheet(Traversable, Persistent, Implicit):
                message='Your changes have been saved.',
                action ='manage')
+    security.declareProtected(manage_properties, 'manage_delProperties')
    def manage_delProperties(self, ids=None, REQUEST=None):
        """Delete one or more properties specified by 'ids'."""
        if REQUEST:
@@ -462,7 +472,7 @@ class PropertySheet(Traversable, Persistent, Implicit):
        if REQUEST is not None:
            return self.manage(self, REQUEST)
-Globals.default__class_init__(PropertySheet)
+InitializeClass(PropertySheet)
 class Virtual:
@@ -483,7 +493,7 @@ class DefaultProperties(Virtual, PropertySheet, View):
    id='default'
    _md={'xmlns': 'http://www.zope.org/propsets/default'}
-Globals.default__class_init__(DefaultProperties)
+InitializeClass(DefaultProperties)
 class DAVProperties(Virtual, PropertySheet, View):
@@ -596,7 +606,7 @@ class DAVProperties(Virtual, PropertySheet, View):
        return out
-Globals.default__class_init__(DAVProperties)
+InitializeClass(DAVProperties)
 class PropertySheets(Traversable, Implicit, App.Management.Tabs):
@@ -605,18 +615,10 @@ class PropertySheets(Traversable, Implicit, App.Management.Tabs):
    id='propertysheets'
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('Manage properties', ('manage_addPropertySheet',
+    security.declareObjectProtected(access_contents_information)
-                               'addPropertySheet',
+    security.setPermissionDefault(access_contents_information,
-                               'delPropertySheet'
+                                  ('Anonymous', 'Manager'))
-                               )),
-        ('Access contents information',
-         ('items', 'values', 'get', ''),
-         ('Anonymous', 'Manager'),
-         ),
-        ('View management screens', ('manage',)),
-        )
    # optionally to be overridden by derived classes
    PropertySheetClass= PropertySheet
@@ -639,10 +641,12 @@ class PropertySheets(Traversable, Implicit, App.Management.Tabs):
    def __getitem__(self, n):
        return self.__propsets__()[n].__of__(self)
+    security.declareProtected(access_contents_information, 'values')
    def values(self):
        propsets=self.__propsets__()
        return map(lambda n, s=self: n.__of__(s), propsets)
+    security.declareProtected(access_contents_information, 'items')
    def items(self):
        propsets=self.__propsets__()
        r=[]
@@ -653,6 +657,7 @@ class PropertySheets(Traversable, Implicit, App.Management.Tabs):
        return r
+    security.declareProtected(access_contents_information, 'get')
    def get(self, name, default=None):
        for propset in self.__propsets__():
            if propset.id==name or (hasattr(propset, 'xml_namespace') and \
@@ -660,6 +665,7 @@ class PropertySheets(Traversable, Implicit, App.Management.Tabs):
                return propset.__of__(self)
        return default
+    security.declareProtected(manage_properties, 'manage_addPropertySheet')
    def manage_addPropertySheet(self, id, ns, REQUEST=None):
        """ """
        md={'xmlns':ns}
@@ -669,11 +675,13 @@ class PropertySheets(Traversable, Implicit, App.Management.Tabs):
        ps= self.get(id)
        REQUEST.RESPONSE.redirect('%s/manage' % ps.absolute_url())
+    security.declareProtected(manage_properties, 'addPropertySheet')
    def addPropertySheet(self, propset):
        propsets=self.aq_parent.__propsets__
        propsets=propsets+(propset,)
        self.aq_parent.__propsets__=propsets
+    security.declareProtected(manage_properties, 'delPropertySheet')
    def delPropertySheet(self, name):
        result=[]
        for propset in self.aq_parent.__propsets__:
@@ -709,6 +717,7 @@ class PropertySheets(Traversable, Implicit, App.Management.Tabs):
    # Management interface:
+    security.declareProtected(view_management_screens, 'manage')
    manage=Globals.DTMLFile('dtml/propertysheets', globals())
    def manage_options(self):
@@ -737,7 +746,7 @@ class PropertySheets(Traversable, Implicit, App.Management.Tabs):
        return PropertySheets.inheritedAttribute('tabs_path_info')(
            self, script, path)
-Globals.default__class_init__(PropertySheets)
+InitializeClass(PropertySheets)
 class DefaultPropertySheets(PropertySheets):
@@ -749,7 +758,7 @@ class DefaultPropertySheets(PropertySheets):
    def _get_defaults(self):
        return (self.default, self.webdav)
-Globals.default__class_init__(DefaultPropertySheets)
+InitializeClass(DefaultPropertySheets)
 class FixedSchema(PropertySheet):
@@ -786,7 +795,7 @@ class FixedSchema(PropertySheet):
        return 0
        return self._base._extensible
-Globals.default__class_init__(FixedSchema)
+InitializeClass(FixedSchema)
 class vps(Base):

--- a/lib/python/OFS/SimpleItem.py
+++ b/lib/python/OFS/SimpleItem.py
@@ -25,7 +25,10 @@ import marshal, re, sys, time
 import AccessControl.Role, AccessControl.Owned, App.Common
 import Globals, App.Management, Acquisition, App.Undo
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 from AccessControl import getSecurityManager, Unauthorized
+from AccessControl.Permissions import view as View
 from AccessControl.ZopeSecurityPolicy import getRoles
 from Acquisition import aq_base, aq_parent, aq_inner, aq_acquire
 from ComputedAttribute import ComputedAttribute
@@ -52,11 +55,12 @@ class Item(Base, Resource, CopySource, App.Management.Tabs, Traversable,
           AccessControl.Owned.Owned,
           App.Undo.UndoSupport,
           ):
    """A common base class for simple, non-container objects."""
    implements(IItem)
+    security = ClassSecurityInfo()
    isPrincipiaFolderish=0
    isTopLevelPrincipiaApplicationObject=0
@@ -75,7 +79,7 @@ class Item(Base, Resource, CopySource, App.Management.Tabs, Traversable,
    # Direct use of the 'id' attribute is deprecated - use getId()
    id=''
-    getId__roles__=None
+    security.declarePublic('getId')
    def getId(self):
        """Return the id of the object as a string.
@@ -350,7 +354,7 @@ class Item(Base, Resource, CopySource, App.Management.Tabs, Traversable,
        res += '>'
        return res
-Globals.default__class_init__(Item)
+InitializeClass(Item)
 class Item_w__name__(Item):
@@ -414,11 +418,13 @@ class SimpleItem(Item, Globals.Persistent,
    implements(ISimpleItem)
+    security = ClassSecurityInfo()
+    security.setPermissionDefault(View, ('Manager',))
    manage_options=Item.manage_options+(
        {'label':'Security',
         'action':'manage_access',
         'help':('OFSP', 'Security.stx')},
        )
-    __ac_permissions__=(('View', ()),)
+InitializeClass(SimpleItem)
--- a/lib/python/OFS/Traversable.py
+++ b/lib/python/OFS/Traversable.py
@@ -17,6 +17,8 @@ $Id$
 from urllib import quote
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 from AccessControl import getSecurityManager
 from AccessControl import Unauthorized
 from AccessControl.ZopeGuards import guarded_getattr
@@ -34,7 +36,9 @@ class Traversable:
    implements(ITraversable)
-    absolute_url__roles__=None # Public
+    security = ClassSecurityInfo()
+    security.declarePublic('absolute_url')
    def absolute_url(self, relative=0):
        """Return the absolute URL of the object.
@@ -61,7 +65,7 @@ class Traversable:
            return path2url(spp[1:])
        return toUrl(spp)
-    absolute_url_path__roles__=None # Public
+    security.declarePublic('absolute_url_path')
    def absolute_url_path(self):
        """Return the path portion of the absolute URL of the object.
@@ -75,7 +79,7 @@ class Traversable:
            return path2url(spp) or '/'
        return toUrl(spp, relative=1) or '/'
-    virtual_url_path__roles__=None # Public
+    security.declarePublic('virtual_url_path')
    def virtual_url_path(self):
        """Return a URL for the object, relative to the site root.
@@ -90,10 +94,10 @@ class Traversable:
            return path2url(spp[1:])
        return path2url(toVirt(spp))
-    getPhysicalRoot__roles__=() # Private
+    security.declarePrivate('getPhysicalRoot')
    getPhysicalRoot=Acquired
-    getPhysicalPath__roles__=None # Public
+    security.declarePublic('getPhysicalPath')
    def getPhysicalPath(self):
        """Get the physical path of the object.
@@ -110,7 +114,7 @@ class Traversable:
        return path
-    unrestrictedTraverse__roles__=() # Private
+    security.declarePrivate('unrestrictedTraverse')
    def unrestrictedTraverse(self, path, default=_marker, restricted=0):
        """Lookup an object by path.
@@ -232,10 +236,13 @@ class Traversable:
            else:
                raise
-    restrictedTraverse__roles__=None # Public
+    security.declarePublic('restrictedTraverse')
    def restrictedTraverse(self, path, default=_marker):
        # Trusted code traversal code, always enforces security
        return self.unrestrictedTraverse(path, default, restricted=1)
+InitializeClass(Traversable)
 def path2url(path):
    return '/'.join(map(quote, path))
--- a/lib/python/OFS/ZDOM.py
+++ b/lib/python/OFS/ZDOM.py
@@ -16,6 +16,9 @@ DOM implementation in ZOPE : Read-Only methods
 All standard Zope objects support DOM to a limited extent.
 """
 import Acquisition
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import access_contents_information
 # Node type codes
@@ -82,61 +85,65 @@ class Node:
    Node Interface
    """
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('Access contents information',
-            ('getNodeName', 'getNodeValue', 'getParentNode',
-            'getChildNodes', 'getFirstChild', 'getLastChild',
-            'getPreviousSibling', 'getNextSibling', 'getOwnerDocument',
-            'getAttributes', 'hasChildNodes'),
-        ),
-    )
    # DOM attributes
    # --------------
+    security.declareProtected(access_contents_information, 'getNodeName')
    def getNodeName(self):
        """The name of this node, depending on its type"""
        return None
+    security.declareProtected(access_contents_information, 'getNodeValue')
    def getNodeValue(self):
        """The value of this node, depending on its type"""
        return None
+    security.declareProtected(access_contents_information, 'getParentNode')
    def getParentNode(self):
        """The parent of this node.  All nodes except Document
        DocumentFragment and Attr may have a parent"""
        return None
+    security.declareProtected(access_contents_information, 'getChildNodes')
    def getChildNodes(self):
        """Returns a NodeList that contains all children of this node.
        If there are no children, this is a empty NodeList"""
        return NodeList()
+    security.declareProtected(access_contents_information, 'getFirstChild')
    def getFirstChild(self):
        """The first child of this node. If there is no such node
        this returns None."""
        return None
+    security.declareProtected(access_contents_information, 'getLastChild')
    def getLastChild(self):
        """The last child of this node. If there is no such node
        this returns None."""
        return None
+    security.declareProtected(access_contents_information,
+                              'getPreviousSibling')
    def getPreviousSibling(self):
        """The node immediately preceding this node.  If
        there is no such node, this returns None."""
        return None
+    security.declareProtected(access_contents_information, 'getNextSibling')
    def getNextSibling(self):
        """The node immediately preceding this node.  If
        there is no such node, this returns None."""
        return None
+    security.declareProtected(access_contents_information, 'getAttributes')
    def getAttributes(self):
        """Returns a NamedNodeMap containing the attributes
        of this node (if it is an element) or None otherwise."""
        return None
+    security.declareProtected(access_contents_information, 'getOwnerDocument')
    def getOwnerDocument(self):
        """The Document object associated with this node.
        When this is a document this is None"""
@@ -149,32 +156,33 @@ class Node:
    # DOM Methods
    # -----------
+    security.declareProtected(access_contents_information, 'hasChildNodes')
    def hasChildNodes(self):
        """Returns true if the node has any children, false
        if it doesn't. """
        return len(self.objectIds())
+InitializeClass(Node)
 class Document(Acquisition.Explicit, Node):
    """
    Document Interface
    """
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('Access contents information',
-            ('getImplementation', 'getDoctype', 'getDocumentElement'),
-        ),
-    )
    # Document Methods
    # ----------------
+    security.declareProtected(access_contents_information, 'getImplementation')
    def getImplementation(self):
        """
        The DOMImplementation object that handles this document.
        """
        return DOMImplementation()
+    security.declareProtected(access_contents_information, 'getDoctype')
    def getDoctype(self):
        """
        The Document Type Declaration associated with this document.
@@ -183,6 +191,8 @@ class Document(Acquisition.Explicit, Node):
        """
        return None
+    security.declareProtected(access_contents_information,
+                              'getDocumentElement')
    def getDocumentElement(self):
        """
        This is a convenience attribute that allows direct access to
@@ -226,18 +236,17 @@ class Document(Acquisition.Explicit, Node):
        if it doesn't. """
        return 1
+InitializeClass(Document)
 class DOMImplementation:
    """
    DOMImplementation Interface
    """
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('Access contents information',
-            ('hasFeature',),
-        ),
-    )
+    security.declareProtected(access_contents_information, 'hasFeature')
    def hasFeature(self, feature, version = None):
        """
        hasFeature - Test if the DOM implementation implements a specific
@@ -256,22 +265,20 @@ class DOMImplementation:
            if version == '1.0': return 1
            return 0
+InitializeClass(DOMImplementation)
 class Element(Node):
    """
    Element interface
    """
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('Access contents information',
-            ('getTagName', 'getAttribute', 'getAttributeNode',
-            'getElementsByTagName'),
-        ),
-    )
    # Element Attributes
    # ------------------
+    security.declareProtected(access_contents_information, 'getTagName')
    def getTagName(self):
        """The name of the element"""
        return self.__class__.__name__
@@ -344,15 +351,19 @@ class Element(Node):
    # Element Methods
    # ---------------
+    security.declareProtected(access_contents_information, 'getAttribute')
    def getAttribute(self, name):
        """Retrieves an attribute value by name."""
        return None
+    security.declareProtected(access_contents_information, 'getAttributeNode')
    def getAttributeNode(self, name):
        """ Retrieves an Attr node by name or None if
        there is no such attribute. """
        return None
+    security.declareProtected(access_contents_information,
+                              'getElementsByTagName')
    def getElementsByTagName(self, tagname):
        """ Returns a NodeList of all the Elements with a given tag
        name in the order in which they would be encountered in a
@@ -370,6 +381,8 @@ class Element(Node):
                nodeList = nodeList + n1._data
        return NodeList(nodeList)
+InitializeClass(Element)
 class ElementWithAttributes(Element):
    """

--- a/lib/python/OFS/misc_.py
+++ b/lib/python/OFS/misc_.py
@@ -11,16 +11,22 @@
 #
 ##############################################################################
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 from App.ImageFile import ImageFile
 class misc_:
    "Miscellaneous product information"
-    __roles__=None
+    security = ClassSecurityInfo()
+    security.declareObjectPublic()
+InitializeClass(misc_)
 class p_:
    "Shared system information"
-    __roles__=None
+    security = ClassSecurityInfo()
+    security.declareObjectPublic()
    broken=ImageFile('www/broken.gif', globals())
@@ -63,10 +69,12 @@ class p_:
    ProductHelp_icon=ImageFile('HelpSys/images/productHelp.gif')
    HelpTopic_icon=ImageFile('HelpSys/images/helpTopic.gif')
+InitializeClass(p_)
 class Misc_:
    "Miscellaneous product information"
+    security = ClassSecurityInfo()
-    __roles__=None
+    security.declareObjectPublic()
    def __init__(self, name, dict):
        self._d=dict
@@ -75,3 +83,5 @@ class Misc_:
    def __str__(self): return self.__name__
    def __getitem__(self, name): return self._d[name]
    def __setitem__(self, name, v): self._d[name]=v
+InitializeClass(Misc_)
--- a/lib/python/Products/ExternalMethod/ExternalMethod.py
+++ b/lib/python/Products/ExternalMethod/ExternalMethod.py
@@ -19,6 +19,11 @@ domain-specific customization of web environments.
 __version__='$Revision: 1.52 $'[11:-2]
 from Globals import Persistent, DTMLFile, MessageDialog, HTML
 import OFS.SimpleItem, Acquisition
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import change_external_methods
+from AccessControl.Permissions import view_management_screens
+from AccessControl.Permissions import view as View
 import AccessControl.Role, sys, os, stat, traceback
 from OFS.SimpleItem import pretty_tb
 from App.Extensions import getObject, getPath, FuncCode
@@ -81,6 +86,9 @@ class ExternalMethod(OFS.SimpleItem.Item, Persistent, Acquisition.Explicit,
    meta_type = 'External Method'
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(View)
    func_defaults = ComputedAttribute(lambda self: self.getFuncDefaults())
    func_code = ComputedAttribute(lambda self: self.getFuncCode())
@@ -100,17 +108,14 @@ class ExternalMethod(OFS.SimpleItem.Item, Persistent, Acquisition.Explicit,
        +AccessControl.Role.RoleManager.manage_options
        )
-    __ac_permissions__=(
-        ('View management screens', ('manage_main',)),
-        ('Change External Methods', ('manage_edit',)),
-        ('View', ('__call__','')),
-        )
    def __init__(self, id, title, module, function):
        self.id=id
        self.manage_edit(title, module, function)
+    security.declareProtected(view_management_screens, 'manage_main')
    manage_main=DTMLFile('dtml/methodEdit', globals())
+    security.declareProtected(change_external_methods, 'manage_edit')
    def manage_edit(self, title, module, function, REQUEST=None):
        """Change the external method
@@ -182,6 +187,7 @@ class ExternalMethod(OFS.SimpleItem.Item, Persistent, Acquisition.Explicit,
                self._v_f = self.getFunction()
            return self._v_func_code
+    security.declareProtected(View, '__call__')
    def __call__(self, *args, **kw):
        """Call an ExternalMethod
@@ -243,3 +249,5 @@ class ExternalMethod(OFS.SimpleItem.Item, Persistent, Acquisition.Explicit,
            self._v_filepath=getPath('Extensions', self._module,
                                     suffixes=('','py','pyc','pyp'))
        return self._v_filepath
+InitializeClass(ExternalMethod)
--- a/lib/python/Products/OFSP/Draft.py
+++ b/lib/python/Products/OFSP/Draft.py
@@ -12,6 +12,8 @@
 ##############################################################################
 import Globals, AccessControl.User
 from Globals import Persistent
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 from Acquisition import Implicit
 from OFS import SimpleItem
@@ -27,12 +29,7 @@ class Draft(Persistent, Implicit, SimpleItem.Item):
    _version='/version'
    meta_type='Zope Draft'
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('Approve draft changes',
-         ('manage_approve__draft__',
-          'manage_Save__draft__','manage_Discard__draft__')
-         ),
-    )
    def __init__(self, id, baseid, PATH_INFO):
        self.id=id
@@ -102,8 +99,12 @@ class Draft(Persistent, Implicit, SimpleItem.Item):
            # ZODB 3
            return not db.versionEmpty(self._version)
+    security.declareProtected('Approve draft changes',
+                              'manage_approve__draft__')
    manage_approve__draft__=Globals.HTMLFile('dtml/draftApprove', globals())
+    security.declareProtected('Approve draft changes',
+                              'manage_Save__draft__')
    def manage_Save__draft__(self, remark, REQUEST=None):
        """Make version changes permanent"""
        try: db=self._p_jar.db()
@@ -120,6 +121,8 @@ class Draft(Persistent, Implicit, SimpleItem.Item):
        if REQUEST:
            REQUEST['RESPONSE'].redirect(REQUEST['URL2']+'/manage_main')
+    security.declareProtected('Approve draft changes',
+                              'manage_Discard__draft__')
    def manage_Discard__draft__(self, REQUEST=None):
        'Discard changes made during the version'
        try: db=self._p_jar.db()
@@ -146,7 +149,8 @@ class Draft(Persistent, Implicit, SimpleItem.Item):
                'Attempt to %sdelete a non-empty version.<p>'
                ((self is not item) and 'indirectly ' or ''))
-Globals.default__class_init__(Draft)
+InitializeClass(Draft)
 def getdraft(ob, jar):

--- a/lib/python/Products/OFSP/Version.py
+++ b/lib/python/Products/OFSP/Version.py
@@ -18,6 +18,12 @@ import Globals, time
 from AccessControl.Role import RoleManager
 from Globals import MessageDialog
 from Globals import Persistent
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import change_versions
+from AccessControl.Permissions import join_leave_versions
+from AccessControl.Permissions import save_discard_version_changes
+from AccessControl.Permissions import view_management_screens
 from Acquisition import Implicit
 from OFS.SimpleItem import Item
 from Globals import HTML
@@ -44,6 +50,9 @@ class Version(Persistent,Implicit,RoleManager,Item):
    """ """
    meta_type='Version'
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(view_management_screens)
    manage_options=(
        (
        {'label':'Join/Leave', 'action':'manage_main',
@@ -57,14 +66,7 @@ class Version(Persistent,Implicit,RoleManager,Item):
        +Item.manage_options
        )
-    __ac_permissions__=(
+    security.declareProtected(view_management_screens, 'manage')
-        ('View management screens', ('manage','manage_editForm', '')),
-        ('Change Versions', ('manage_edit',)),
-        ('Join/leave Versions',
-         ('manage_main', 'enter','leave','leave_another')),
-        ('Save/discard Version changes',
-         ('manage_end', 'save','discard')),
-        )
    cookie=''
@@ -74,8 +76,13 @@ class Version(Persistent,Implicit,RoleManager,Item):
        self.id=id
        self.title=title
+    security.declareProtected(join_leave_versions, 'manage_main')
    manage_main=Globals.DTMLFile('dtml/version', globals())
+    security.declareProtected(save_discard_version_changes, 'manage_end')
    manage_end=Globals.DTMLFile('dtml/versionEnd', globals())
+    security.declareProtected(view_management_screens, 'manage_editForm')
    manage_editForm   =Globals.DTMLFile('dtml/versionEdit', globals())
    def title_and_id(self):
@@ -98,6 +105,7 @@ class Version(Persistent,Implicit,RoleManager,Item):
                          'alt': 'Deprecated object',
                          'title': 'Version objects are deprecated and should not be used anyore.'},)
+    security.declareProtected(change_versions, 'manage_edit')
    def manage_edit(self, title, REQUEST=None):
        """ """
        self.title=title
@@ -106,6 +114,7 @@ class Version(Persistent,Implicit,RoleManager,Item):
                    message='Your changes have been saved',
                    action ='manage_main')
+    security.declareProtected(join_leave_versions, 'enter')
    def enter(self, REQUEST, RESPONSE):
        """Begin working in a version"""
        RESPONSE.setCookie(
@@ -123,6 +132,7 @@ class Version(Persistent,Implicit,RoleManager,Item):
                )
        return RESPONSE.redirect(REQUEST['URL1']+'/manage_main')
+    security.declareProtected(join_leave_versions, 'leave')
    def leave(self, REQUEST, RESPONSE):
        """Temporarily stop working in a version"""
        RESPONSE.setCookie(
@@ -141,10 +151,12 @@ class Version(Persistent,Implicit,RoleManager,Item):
                )
        return RESPONSE.redirect(REQUEST['URL1']+'/manage_main')
+    security.declareProtected(join_leave_versions, 'leave_another')
    def leave_another(self, REQUEST, RESPONSE):
        """Leave a version that may not be the current version"""
        return self.leave(REQUEST, RESPONSE)
+    security.declareProtected(save_discard_version_changes, 'save')
    def save(self, remark, REQUEST=None):
        """Make version changes permanent"""
        try: db=self._p_jar.db()
@@ -162,6 +174,7 @@ class Version(Persistent,Implicit,RoleManager,Item):
        if REQUEST is not None:
            REQUEST['RESPONSE'].redirect(REQUEST['URL1']+'/manage_main')
+    security.declareProtected(save_discard_version_changes, 'discard')
    def discard(self, remark='', REQUEST=None):
        'Discard changes made during the version'
        try: db=self._p_jar.db()
@@ -219,3 +232,5 @@ class Version(Persistent,Implicit,RoleManager,Item):
                    'version, because the version would no longer\n'
                    'be accessable.<p>\n'
                    % (v,v,v))
+InitializeClass(Version)
--- a/lib/python/Products/PluginIndexes/TextIndex/Vocabulary.py
+++ b/lib/python/Products/PluginIndexes/TextIndex/Vocabulary.py
@@ -16,7 +16,11 @@ $Id$
 """
 from Globals import DTMLFile, MessageDialog
-import Globals, AccessControl.Role
+import AccessControl.Role
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import manage_vocabulary
+from AccessControl.Permissions import query_vocabulary
 from Acquisition import Implicit
 from Persistence import Persistent
 from OFS.SimpleItem import Item
@@ -52,6 +56,10 @@ class Vocabulary(Item, Persistent, Implicit, AccessControl.Role.RoleManager):
    implements(IVocabulary)
+    security = ClassSecurityInfo()
+    security.setPermissionDefault(manage_vocabulary, ('Manager',))
+    security.setPermissionDefault(query_vocabulary, ('Anonymous', 'Manager',))
    meta_type = "Vocabulary"
    _isAVocabulary = 1
@@ -66,18 +74,10 @@ class Vocabulary(Item, Persistent, Implicit, AccessControl.Role.RoleManager):
        +AccessControl.Role.RoleManager.manage_options
        )
-    __ac_permissions__=(
+    security.declareProtected(manage_vocabulary, 'manage_main')
-        ('Manage Vocabulary',
-         ['manage_main', 'manage_query'],
-         ['Manager']),
-        ('Query Vocabulary',
-         ['query',],
-         ['Anonymous', 'Manager']),
-        )
    manage_main = DTMLFile('dtml/manage_vocab', globals())
+    security.declareProtected(manage_vocabulary, 'manage_query')
    manage_query = DTMLFile('dtml/vocab_query', globals())
    def __init__(self, id, title='', globbing=None,splitter=None,extra=None):
@@ -106,6 +106,7 @@ class Vocabulary(Item, Persistent, Implicit, AccessControl.Role.RoleManager):
    def getLexicon(self):
        return self.lexicon
+    security.declareProtected(query_vocabulary, 'query')
    def query(self, pattern):
        """ """
        result = []
@@ -132,3 +133,5 @@ class Vocabulary(Item, Persistent, Implicit, AccessControl.Role.RoleManager):
    def words(self):
        return self.lexicon._lexicon.items()
+InitializeClass(Vocabulary)
--- a/lib/python/Products/SiteAccess/VirtualHostMonster.py
+++ b/lib/python/Products/SiteAccess/VirtualHostMonster.py
@@ -4,6 +4,9 @@ Defines the VirtualHostMonster class
 """
 from Globals import DTMLFile, MessageDialog, Persistent
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import view as View
 from OFS.SimpleItem import Item
 from Acquisition import Implicit, aq_inner, aq_parent
 from ZPublisher import BeforeTraverse
@@ -24,15 +27,19 @@ class VirtualHostMonster(Persistent, Item, Implicit):
    lines = ()
    have_map = 0
-    __ac_permissions__=(('View', ('manage_main',)),('Add Site Roots', ('manage_edit', 'set_map')))
+    security = ClassSecurityInfo()
    manage_options=({'label':'About', 'action':'manage_main'},
                    {'label':'Mappings', 'action':'manage_edit'})
+    security.declareProtected(View, 'manage_main')
    manage_main = DTMLFile('www/VirtualHostMonster', globals(),
                           __name__='manage_main')
+    security.declareProtected('Add Site Roots', 'manage_edit')
    manage_edit = DTMLFile('www/manage_edit', globals())
+    security.declareProtected('Add Site Roots', 'set_map')
    def set_map(self, map_text, RESPONSE=None):
        "Set domain to path mappings."
        lines = map_text.split('\n')
@@ -238,6 +245,9 @@ class VirtualHostMonster(Persistent, Item, Implicit):
            request.setVirtualRoot([])
        return parents.pop() # He'll get put back on
+InitializeClass(VirtualHostMonster)
 def manage_addVirtualHostMonster(self, id, REQUEST=None, **ignored):
    """ """
    vhm = VirtualHostMonster()

--- a/lib/python/Products/StandardCacheManagers/AcceleratedHTTPCacheManager.py
+++ b/lib/python/Products/StandardCacheManagers/AcceleratedHTTPCacheManager.py
@@ -21,8 +21,10 @@ $Id$
 from OFS.Cache import Cache, CacheManager
 from OFS.SimpleItem import SimpleItem
 import time
-import Globals
+from Globals import InitializeClass
 from Globals import DTMLFile
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import view_management_screens
 import urlparse, httplib
 from cgi import escape
 from urllib import quote
@@ -108,14 +110,8 @@ PRODUCT_DIR = __name__.split('.')[-2]
 class AcceleratedHTTPCacheManager (CacheManager, SimpleItem):
    ' '
-    __ac_permissions__ = (
+    security = ClassSecurityInfo()
-        ('View management screens', ('getSettings',
+    security.setPermissionDefault('Change cache managers', ('Manager',))
-                                     'manage_main',
-                                     'manage_stats',
-                                     'getCacheReport',
-                                     'sort_link')),
-        ('Change cache managers', ('manage_editProps',), ('Manager',)),
-        )
    manage_options = (
        {'label':'Properties', 'action':'manage_main',
@@ -138,7 +134,7 @@ class AcceleratedHTTPCacheManager (CacheManager, SimpleItem):
        ' '
        return self.id
-    ZCacheManager_getCache__roles__ = ()
+    security.declarePrivate('ZCacheManager_getCache')
    def ZCacheManager_getCache(self):
        cacheid = self.__cacheid
        try:
@@ -149,12 +145,15 @@ class AcceleratedHTTPCacheManager (CacheManager, SimpleItem):
            caches[cacheid] = cache
            return cache
+    security.declareProtected(view_management_screens, 'getSettings')
    def getSettings(self):
        ' '
        return self._settings.copy()  # Don't let DTML modify it.
+    security.declareProtected(view_management_screens, 'manage_main')
    manage_main = DTMLFile('dtml/propsAccel', globals())
+    security.declareProtected('Change cache managers', 'manage_editProps')
    def manage_editProps(self, title, settings=None, REQUEST=None):
        ' '
        if settings is None:
@@ -170,6 +169,7 @@ class AcceleratedHTTPCacheManager (CacheManager, SimpleItem):
            return self.manage_main(
                self, REQUEST, manage_tabs_message='Properties changed.')
+    security.declareProtected(view_management_screens, 'manage_stats')
    manage_stats = DTMLFile('dtml/statsAccel', globals())
    def _getSortInfo(self):
@@ -182,6 +182,7 @@ class AcceleratedHTTPCacheManager (CacheManager, SimpleItem):
        sort_reverse = int(req.get('sort_reverse', 1))
        return sort_by, sort_reverse
+    security.declareProtected(view_management_screens, 'getCacheReport')
    def getCacheReport(self):
        """
        Returns the list of objects in the cache, sorted according to
@@ -201,6 +202,7 @@ class AcceleratedHTTPCacheManager (CacheManager, SimpleItem):
                rval.reverse()
        return rval
+    security.declareProtected(view_management_screens, 'sort_link')
    def sort_link(self, name, id):
        """
        Utility for generating a sort link.
@@ -215,7 +217,7 @@ class AcceleratedHTTPCacheManager (CacheManager, SimpleItem):
        return '<a href="%s">%s</a>' % (escape(url, 1), escape(name))
-Globals.default__class_init__(AcceleratedHTTPCacheManager)
+InitializeClass(AcceleratedHTTPCacheManager)
 manage_addAcceleratedHTTPCacheManagerForm = DTMLFile('dtml/addAccel',

--- a/lib/python/Products/StandardCacheManagers/RAMCacheManager.py
+++ b/lib/python/Products/StandardCacheManagers/RAMCacheManager.py
@@ -23,8 +23,10 @@ from OFS.SimpleItem import SimpleItem
 from thread import allocate_lock
 from cgi import escape
 import time
-import Globals
+from Globals import InitializeClass
 from Globals import DTMLFile
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import view_management_screens
 try: from cPickle import Pickler, HIGHEST_PROTOCOL
 except: from pickle import Pickler, HIGHEST_PROTOCOL
@@ -347,14 +349,8 @@ class RAMCacheManager (CacheManager, SimpleItem):
    caching.
    """
-    __ac_permissions__ = (
+    security = ClassSecurityInfo()
-        ('View management screens', ('getSettings',
+    security.setPermissionDefault('Change cache managers', ('Manager',))
-                                     'manage_main',
-                                     'manage_stats',
-                                     'getCacheReport',
-                                     'sort_link',)),
-        ('Change cache managers', ('manage_editProps','manage_invalidate'), ('Manager',)),
-        )
    manage_options = (
        {'label':'Properties', 'action':'manage_main',
@@ -391,6 +387,7 @@ class RAMCacheManager (CacheManager, SimpleItem):
            caches[cacheid] = cache
            return cache
+    security.declareProtected(view_management_screens, 'getSettings')
    def getSettings(self):
        'Returns the current cache settings.'
        res = self._settings.copy()
@@ -398,8 +395,10 @@ class RAMCacheManager (CacheManager, SimpleItem):
            res['max_age'] = 0
        return res
+    security.declareProtected(view_management_screens, 'manage_main')
    manage_main = DTMLFile('dtml/propsRCM', globals())
+    security.declareProtected('Change cache managers', 'manage_editProps')
    def manage_editProps(self, title, settings=None, REQUEST=None):
        'Changes the cache settings.'
        if settings is None:
@@ -419,6 +418,7 @@ class RAMCacheManager (CacheManager, SimpleItem):
            return self.manage_main(
                self, REQUEST, manage_tabs_message='Properties changed.')
+    security.declareProtected(view_management_screens, 'manage_stats')
    manage_stats = DTMLFile('dtml/statsRCM', globals())
    def _getSortInfo(self):
@@ -431,6 +431,7 @@ class RAMCacheManager (CacheManager, SimpleItem):
        sort_reverse = int(req.get('sort_reverse', 1))
        return sort_by, sort_reverse
+    security.declareProtected(view_management_screens, 'getCacheReport')
    def getCacheReport(self):
        """
        Returns the list of objects in the cache, sorted according to
@@ -446,6 +447,7 @@ class RAMCacheManager (CacheManager, SimpleItem):
                rval.reverse()
        return rval
+    security.declareProtected(view_management_screens, 'sort_link')
    def sort_link(self, name, id):
        """
        Utility for generating a sort link.
@@ -458,6 +460,7 @@ class RAMCacheManager (CacheManager, SimpleItem):
        url = url + '&sort_reverse=' + (newsr and '1' or '0')
        return '<a href="%s">%s</a>' % (escape(url, 1), escape(name))
+    security.declareProtected('Change cache managers', 'manage_invalidate')
    def manage_invalidate(self, paths, REQUEST=None):
        """ ZMI helper to invalidate an entry """
        for path in paths:
@@ -472,7 +475,7 @@ class RAMCacheManager (CacheManager, SimpleItem):
            msg = 'Cache entries invalidated'
            return self.manage_stats(manage_tabs_message=msg)
-Globals.default__class_init__(RAMCacheManager)
+InitializeClass(RAMCacheManager)
 class _ByteCounter:

--- a/lib/python/Products/ZCatalog/ZCatalog.py
+++ b/lib/python/Products/ZCatalog/ZCatalog.py
@@ -19,7 +19,7 @@ from warnings import warn
 import urllib, time, sys, string, logging
 from Globals import DTMLFile, MessageDialog
-import Globals
+from Globals import InitializeClass
 from OFS.Folder import Folder
 from OFS.ObjectManager import ObjectManager
 from DateTime import DateTime
@@ -27,6 +27,7 @@ from Acquisition import Implicit
 from Persistence import Persistent
 from DocumentTemplate.DT_Util import InstanceDict, TemplateDict
 from DocumentTemplate.DT_Util import Eval
+from AccessControl import ClassSecurityInfo
 from AccessControl.Permission import name_trans
 from AccessControl.DTML import RestrictedDTML
 from AccessControl.Permissions import \
@@ -86,6 +87,11 @@ class ZCatalog(Folder, Persistent, Implicit):
    __implements__ = z2IZCatalog
    implements(z3IZCatalog)
+    security = ClassSecurityInfo()
+    security.setPermissionDefault(manage_zcatalog_entries, ('Manager',))
+    security.setPermissionDefault(manage_zcatalog_indexes, ('Manager',))
+    security.setPermissionDefault(search_zcatalog, ('Anonymous', 'Manager'))
    meta_type = "ZCatalog"
    icon='misc_/ZCatalog/ZCatalog.gif'
@@ -122,46 +128,30 @@ class ZCatalog(Folder, Persistent, Implicit):
         'help': ('OFSP','Ownership.stx'),}
        )
-    __ac_permissions__=(
+    security.declareProtected(manage_zcatalog_entries, 'manage_main')
-        (manage_zcatalog_entries,
-         ['manage_catalogObject', 'manage_uncatalogObject',
-          'catalog_object', 'uncatalog_object', 'refreshCatalog',
-          'manage_catalogView', 'manage_catalogFind',
-          'manage_catalogSchema', 'manage_catalogIndexes',
-          'manage_catalogAdvanced', 'manage_objectInformation',
-          'manage_catalogReindex', 'manage_catalogFoundItems',
-          'manage_catalogClear', 'manage_addColumn', 'manage_delColumn',
-          'manage_addIndex', 'manage_delIndex', 'manage_clearIndex',
-          'manage_reindexIndex', 'manage_main', 'availableSplitters',
-          'manage_setProgress',
-          # these two are deprecated:
-          'manage_delColumns', 'manage_deleteIndex'
-          ],
-         ['Manager']),
-        (search_zcatalog,
-         ['searchResults', '__call__', 'uniqueValuesFor',
-          'getpath', 'schema', 'indexes', 'index_objects',
-          'all_meta_types', 'valid_roles', 'resolve_url',
-          'getobject', 'search'],
-         ['Anonymous', 'Manager']),
-        (manage_zcatalog_indexes,
-         ['getIndexObjects'],
-         ['Manager']),
-        )
+    security.declareProtected(search_zcatalog, 'all_meta_types')
    manage_catalogAddRowForm = DTMLFile('dtml/catalogAddRowForm', globals())
+    security.declareProtected(manage_zcatalog_entries, 'manage_catalogView')
    manage_catalogView = DTMLFile('dtml/catalogView',globals())
+    security.declareProtected(manage_zcatalog_entries, 'manage_catalogFind')
    manage_catalogFind = DTMLFile('dtml/catalogFind',globals())
+    security.declareProtected(manage_zcatalog_entries, 'manage_catalogSchema')
    manage_catalogSchema = DTMLFile('dtml/catalogSchema', globals())
+    security.declareProtected(manage_zcatalog_entries, 'manage_catalogIndexes')
    manage_catalogIndexes = DTMLFile('dtml/catalogIndexes', globals())
+    security.declareProtected(manage_zcatalog_entries,
+                              'manage_catalogAdvanced')
    manage_catalogAdvanced = DTMLFile('dtml/catalogAdvanced', globals())
+    security.declareProtected(manage_zcatalog_entries,
+                              'manage_objectInformation')
    manage_objectInformation = DTMLFile('dtml/catalogObjectInformation',
                                        globals())
@@ -224,6 +214,7 @@ class ZCatalog(Folder, Persistent, Implicit):
            URL1 +
            '/manage_catalogAdvanced?manage_tabs_message=Catalog%20Changed')
+    security.declareProtected(manage_zcatalog_entries, 'manage_catalogObject')
    def manage_catalogObject(self, REQUEST, RESPONSE, URL1, urls=None):
        """ index Zope object(s) that 'urls' point to """
        if urls:
@@ -242,6 +233,8 @@ class ZCatalog(Folder, Persistent, Implicit):
            '/manage_catalogView?manage_tabs_message=Object%20Cataloged')
+    security.declareProtected(manage_zcatalog_entries,
+                              'manage_uncatalogObject')
    def manage_uncatalogObject(self, REQUEST, RESPONSE, URL1, urls=None):
        """ removes Zope object(s) 'urls' from catalog """
@@ -257,6 +250,7 @@ class ZCatalog(Folder, Persistent, Implicit):
            '/manage_catalogView?manage_tabs_message=Object%20Uncataloged')
+    security.declareProtected(manage_zcatalog_entries, 'manage_catalogReindex')
    def manage_catalogReindex(self, REQUEST, RESPONSE, URL1):
        """ clear the catalog, then re-index everything """
@@ -278,6 +272,7 @@ class ZCatalog(Folder, Persistent, Implicit):
                         'Total CPU time: %s' % (`elapse`, `c_elapse`)))
+    security.declareProtected(manage_zcatalog_entries, 'refreshCatalog')
    def refreshCatalog(self, clear=0, pghandler=None):
        """ re-index everything we can find """
@@ -309,6 +304,7 @@ class ZCatalog(Folder, Persistent, Implicit):
        if pghandler: pghandler.finish()
+    security.declareProtected(manage_zcatalog_entries, 'manage_catalogClear')
    def manage_catalogClear(self, REQUEST=None, RESPONSE=None, URL1=None):
        """ clears the whole enchilada """
        self._catalog.clear()
@@ -319,6 +315,8 @@ class ZCatalog(Folder, Persistent, Implicit):
              '/manage_catalogAdvanced?manage_tabs_message=Catalog%20Cleared')
+    security.declareProtected(manage_zcatalog_entries,
+                              'manage_catalogFoundItems')
    def manage_catalogFoundItems(self, REQUEST, RESPONSE, URL2, URL1,
                                 obj_metatypes=None,
                                 obj_ids=None, obj_searchterm=None,
@@ -364,6 +362,7 @@ class ZCatalog(Folder, Persistent, Implicit):
            )
+    security.declareProtected(manage_zcatalog_entries, 'manage_addColumn')
    def manage_addColumn(self, name, REQUEST=None, RESPONSE=None, URL1=None):
        """ add a column """
        self.addColumn(name)
@@ -374,6 +373,7 @@ class ZCatalog(Folder, Persistent, Implicit):
                '/manage_catalogSchema?manage_tabs_message=Column%20Added')
+    security.declareProtected(manage_zcatalog_entries, 'manage_delColumns')
    def manage_delColumns(self, names, REQUEST=None, RESPONSE=None, URL1=None):
        """ Deprecated method. Use manage_delColumn instead. """
        # log a deprecation warning
@@ -392,6 +392,7 @@ class ZCatalog(Folder, Persistent, Implicit):
                              URL1=URL1)
+    security.declareProtected(manage_zcatalog_entries, 'manage_delColumn')
    def manage_delColumn(self, names, REQUEST=None, RESPONSE=None, URL1=None):
        """ delete a column or some columns """
        if isinstance(names, str):
@@ -406,6 +407,7 @@ class ZCatalog(Folder, Persistent, Implicit):
                '/manage_catalogSchema?manage_tabs_message=Column%20Deleted')
+    security.declareProtected(manage_zcatalog_entries, 'manage_addIndex')
    def manage_addIndex(self, name, type, extra=None,
                        REQUEST=None, RESPONSE=None, URL1=None):
        """add an index """
@@ -417,6 +419,7 @@ class ZCatalog(Folder, Persistent, Implicit):
                '/manage_catalogIndexes?manage_tabs_message=Index%20Added')
+    security.declareProtected(manage_zcatalog_entries, 'manage_deleteIndex')
    def manage_deleteIndex(self, ids=None, REQUEST=None, RESPONSE=None,
        URL1=None):
        """ Deprecated method. Use manage_delIndex instead. """
@@ -436,6 +439,7 @@ class ZCatalog(Folder, Persistent, Implicit):
                             URL1=URL1)
+    security.declareProtected(manage_zcatalog_entries, 'manage_delIndex')
    def manage_delIndex(self, ids=None, REQUEST=None, RESPONSE=None,
        URL1=None):
        """ delete an index or some indexes """
@@ -456,6 +460,7 @@ class ZCatalog(Folder, Persistent, Implicit):
                '/manage_catalogIndexes?manage_tabs_message=Index%20Deleted')
+    security.declareProtected(manage_zcatalog_entries, 'manage_clearIndex')
    def manage_clearIndex(self, ids=None, REQUEST=None, RESPONSE=None,
        URL1=None):
        """ clear an index or some indexes """
@@ -524,6 +529,7 @@ class ZCatalog(Folder, Persistent, Implicit):
        if pghandler:
            pghandler.finish()
+    security.declareProtected(manage_zcatalog_entries, 'manage_reindexIndex')
    def manage_reindexIndex(self, ids=None, REQUEST=None, RESPONSE=None,
                            URL1=None):
        """Reindex indexe(s) from a ZCatalog"""
@@ -543,11 +549,13 @@ class ZCatalog(Folder, Persistent, Implicit):
                '?manage_tabs_message=Reindexing%20Performed')
+    security.declareProtected(manage_zcatalog_entries, 'availableSplitters')
    def availableSplitters(self):
        """ splitter we can add """
        return Splitter.availableSplitters
+    security.declareProtected(manage_zcatalog_entries, 'catalog_object')
    def catalog_object(self, obj, uid=None, idxs=None, update_metadata=1, pghandler=None):
        """ wrapper around catalog """
@@ -593,14 +601,17 @@ class ZCatalog(Folder, Persistent, Implicit):
                if pghandler:
                    pghandler.info('commiting subtransaction')
+    security.declareProtected(manage_zcatalog_entries, 'uncatalog_object')
    def uncatalog_object(self, uid):
        """Wrapper around catalog """
        self._catalog.uncatalogObject(uid)
+    security.declareProtected(search_zcatalog, 'uniqueValuesFor')
    def uniqueValuesFor(self, name):
        """Return the unique values for a given FieldIndex """
        return self._catalog.uniqueValuesFor(name)
+    security.declareProtected(search_zcatalog, 'getpath')
    def getpath(self, rid):
        """Return the path to a cataloged object given a 'data_record_id_'
        """
@@ -611,6 +622,7 @@ class ZCatalog(Folder, Persistent, Implicit):
        """
        return self._catalog.uids.get(path, default)
+    security.declareProtected(search_zcatalog, 'getobject')
    def getobject(self, rid, REQUEST=None):
        """Return a cataloged object given a 'data_record_id_'
        """
@@ -639,17 +651,21 @@ class ZCatalog(Folder, Persistent, Implicit):
        """return the current index contents for the specific rid"""
        return self._catalog.getIndexDataForRID(rid)
+    security.declareProtected(search_zcatalog, 'schema')
    def schema(self):
        return self._catalog.schema.keys()
+    security.declareProtected(search_zcatalog, 'indexes')
    def indexes(self):
        return self._catalog.indexes.keys()
+    security.declareProtected(search_zcatalog, 'index_objects')
    def index_objects(self):
        # This method returns unwrapped indexes!
        # You should probably use getIndexObjects instead
        return self._catalog.indexes.values()
+    security.declareProtected(manage_zcatalog_indexes, 'getIndexObjects')
    def getIndexObjects(self):
        # Return a list of wrapped(!) indexes
        getIndex = self._catalog.getIndex
@@ -677,6 +693,7 @@ class ZCatalog(Folder, Persistent, Implicit):
                  'width': 8})
        return r
+    security.declareProtected(search_zcatalog, 'searchResults')
    def searchResults(self, REQUEST=None, used=None, **kw):
        """Search the catalog
@@ -688,8 +705,10 @@ class ZCatalog(Folder, Persistent, Implicit):
        return self._catalog.searchResults(REQUEST, used, **kw)
+    security.declareProtected(search_zcatalog, '__call__')
    __call__=searchResults
+    security.declareProtected(search_zcatalog, 'search')
    def search(
        self, query_request, sort_index=None, reverse=0, limit=None, merge=1):
        """Programmatic search interface, use for searching the catalog from
@@ -720,6 +739,7 @@ class ZCatalog(Folder, Persistent, Implicit):
    #        except AttributeError:  pass
    #    return self.meta_types+Products.meta_types+pmt
+    security.declareProtected(search_zcatalog, 'valid_roles')
    def valid_roles(self):
        "Return list of valid roles"
        obj=self
@@ -838,6 +858,7 @@ class ZCatalog(Folder, Persistent, Implicit):
        return result
+    security.declareProtected(search_zcatalog, 'resolve_url')
    def resolve_url(self, path, REQUEST):
        """
        Attempt to resolve a url into an object in the Zope
@@ -902,6 +923,7 @@ class ZCatalog(Folder, Persistent, Implicit):
                  '%s unchanged.' % (len(fixed), len(removed), unchanged),
          action='./manage_main')
+    security.declareProtected(manage_zcatalog_entries, 'manage_setProgress')
    def manage_setProgress(self, pgthreshold=0, RESPONSE=None, URL1=None):
        """Set parameter to perform logging of reindexing operations very 
           'pgthreshold' objects
@@ -1026,7 +1048,7 @@ class ZCatalog(Folder, Persistent, Implicit):
        return self._catalog.delColumn(name)
-Globals.default__class_init__(ZCatalog)
+InitializeClass(ZCatalog)
 def p_name(name):

--- a/lib/python/Products/ZSQLMethods/SQL.py
+++ b/lib/python/Products/ZSQLMethods/SQL.py
@@ -18,6 +18,9 @@ __version__='$Revision: 1.21 $'[11:-2]
 import Shared.DC.ZRDB.DA
 from Globals import DTMLFile
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import change_database_methods
 from webdav.WriteLockInterface import WriteLockInterface
 def SQLConnectionIDs(self):
@@ -120,12 +123,11 @@ class SQL(Shared.DC.ZRDB.DA.DA):
    __implements__ = (WriteLockInterface,)
    meta_type='Z SQL Method'
+    security = ClassSecurityInfo()
+    security.declareProtected(change_database_methods, 'manage')
+    security.declareProtected(change_database_methods, 'manage_main')
    manage=manage_main=DTMLFile('dtml/edit', globals())
    manage_main._setName('manage_main')
-    __ac_permissions__=(
+InitializeClass(SQL)
-        ('Change Database Methods', ('manage', 'manage_main')),
-    )
-import Globals
-Globals.InitializeClass(SQL)
--- a/lib/python/Shared/DC/Scripts/Bindings.py
+++ b/lib/python/Shared/DC/Scripts/Bindings.py
@@ -13,8 +13,10 @@
 __version__='$Revision$'[11:-2]
-import Globals
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 from AccessControl import getSecurityManager
+from AccessControl.Permissions import view_management_screens
 from AccessControl.PermissionRole import _what_not_even_god_should_do
 from AccessControl.ZopeGuards import guarded_getattr
 from Persistence import Persistent
@@ -190,18 +192,17 @@ class UnauthorizedBinding:
 class Bindings:
-    __ac_permissions__ = (
+    security = ClassSecurityInfo()
-        ('View management screens', ('getBindingAssignments',)),
-        ('Change bindings', ('ZBindings_edit', 'ZBindings_setClient')),
-        )
    _Bindings_client = None
+    security.declareProtected('Change bindings', 'ZBindings_edit')
    def ZBindings_edit(self, mapping):
        names = self._setupBindings(mapping)
        self._prepareBindCode()
        self._editedBindings()
+    security.declareProtected('Change bindings', 'ZBindings_setClient')
    def ZBindings_setClient(self, clientname):
        '''Name the binding to be used as the "client".
@@ -217,6 +218,7 @@ class Bindings:
        self._bind_names = names = NameAssignments(names)
        return names
+    security.declareProtected(view_management_screens, 'getBindingAssignments')
    def getBindingAssignments(self):
        if not hasattr(self, '_bind_names'):
            self._setupBindings()
@@ -348,3 +350,5 @@ class Bindings:
            return self._exec(bound_data, args, kw)
        finally:
            security.removeContext(self)
+InitializeClass(Bindings)
--- a/lib/python/Shared/DC/Scripts/BindingsUI.py
+++ b/lib/python/Shared/DC/Scripts/BindingsUI.py
@@ -14,23 +14,26 @@
 __version__='$Revision$'[11:-2]
 import Globals
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import view_management_screens
 from Bindings import Bindings
 class BindingsUI(Bindings):
+    security = ClassSecurityInfo()
    manage_options = (
        {'label':'Bindings',
         'action':'ZBindingsHTML_editForm',
         'help':('PythonScripts', 'Bindings.stx')},
        )
-    __ac_permissions__ = (
+    security.declareProtected(view_management_screens,
-        ('View management screens', ('ZBindingsHTML_editForm',)),
+                              'ZBindingsHTML_editForm')
-        ('Change bindings', ('ZBindingsHTML_editAction',)),
-        )
    ZBindingsHTML_editForm = Globals.DTMLFile('dtml/scriptBindings', globals())
+    security.declareProtected('Change bindings', 'ZBindingsHTML_editAction')
    def ZBindingsHTML_editAction(self, REQUEST):
        '''Changes binding names.
        '''
@@ -38,4 +41,4 @@ class BindingsUI(Bindings):
        message = "Bindings changed."
        return self.manage_main(self, REQUEST, manage_tabs_message=message)
-Globals.default__class_init__(BindingsUI)
+InitializeClass(BindingsUI)
--- a/lib/python/Shared/DC/Scripts/Script.py
+++ b/lib/python/Shared/DC/Scripts/Script.py
@@ -18,7 +18,10 @@ This provides generic script support
 __version__='$Revision$'[11:-2]
+from Globals import InitializeClass
 from Globals import DTMLFile
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import view_management_screens
 from OFS.SimpleItem import SimpleItem
 from string import join
 from urllib import quote
@@ -34,17 +37,17 @@ class Script(SimpleItem, BindingsUI):
    """Web-callable script mixin
    """
+    security = ClassSecurityInfo()
    index_html = None
    func_defaults=()
    func_code=None
    _Bindings_ns_class = TemplateDict
-    __ac_permissions__ = (
+    security.declareProtected(view_management_screens, 'ZScriptHTML_tryForm')
-        ('View management screens', ('ZScriptHTML_tryForm',)),
-        )
    ZScriptHTML_tryForm = DTMLFile('dtml/scriptTry', globals())
    def ZScriptHTML_tryAction(self, REQUEST, argvars):
        """Apply the test parameters.
        """
@@ -55,3 +58,5 @@ class Script(SimpleItem, BindingsUI):
        raise Redirect, "%s?%s" % (REQUEST['URL1'], join(vv, '&'))
    from Signature import _setFuncSignature
+InitializeClass(Script)
--- a/lib/python/Shared/DC/ZRDB/Connection.py
+++ b/lib/python/Shared/DC/ZRDB/Connection.py
@@ -19,6 +19,12 @@ import Globals, OFS.SimpleItem, AccessControl.Role, Acquisition, sys
 from DateTime import DateTime
 from App.Dialogs import MessageDialog
 from Globals import DTMLFile
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import view_management_screens
+from AccessControl.Permissions import change_database_connections
+from AccessControl.Permissions import test_database_connections
+from AccessControl.Permissions import open_close_database_connection
 from string import find, join, split
 from Aqueduct import custom_default_report
 from cStringIO import StringIO
@@ -36,6 +42,8 @@ class Connection(
    Acquisition.Implicit,
    ):
+    security = ClassSecurityInfo()
    # Specify definitions for tabs:
    manage_options=(
        (
@@ -47,15 +55,6 @@ class Connection(
        +OFS.SimpleItem.Item.manage_options
        )
-    # Specify how individual operations add up to "permissions":
-    __ac_permissions__=(
-        ('View management screens', ('manage_main',)),
-        ('Change Database Connections', ('manage_edit',)),
-        ('Test Database Connections', ('manage_testForm','manage_test')),
-        ('Open/Close Database Connection',
-         ('manage_open_connection', 'manage_close_connection')),
-        )
    _v_connected=''
    connection_string=''
@@ -97,6 +96,8 @@ class Connection(
        if check: self.connect(connection_string)
    manage_properties=DTMLFile('dtml/connectionEdit', globals())
+    security.declareProtected(change_database_connections, 'manage_edit')
    def manage_edit(self, title, connection_string, check=None, REQUEST=None):
        """Change connection
        """
@@ -108,7 +109,10 @@ class Connection(
                action ='./manage_main',
                )
+    security.declareProtected(test_database_connections, 'manage_testForm')
    manage_testForm=DTMLFile('dtml/connectionTestForm', globals())
+    security.declareProtected(test_database_connections, 'manage_test')
    def manage_test(self, query, REQUEST=None):
        "Executes the SQL in parameter 'query' and returns results"
        dbc=self()      #get our connection
@@ -142,8 +146,11 @@ class Connection(
        return report
+    security.declareProtected(view_management_screens, 'manage_main')
    manage_main=DTMLFile('dtml/connectionStatus', globals())
+    security.declareProtected(open_close_database_connection,
+                              'manage_close_connection')
    def manage_close_connection(self, REQUEST=None):
        " "
        try: 
@@ -158,6 +165,8 @@ class Connection(
        if REQUEST is not None:
            return self.manage_main(self, REQUEST)
+    security.declareProtected(open_close_database_connection,
+                              'manage_open_connection')
    def manage_open_connection(self, REQUEST=None):
        " "
        self.connect(self.connection_string)
@@ -193,3 +202,5 @@ class Connection(
    def sql_quote__(self, v):
        if find(v,"\'") >= 0: v=join(split(v,"\'"),"''")
        return "'%s'" % v
+InitializeClass(Connection)
--- a/lib/python/Shared/DC/ZRDB/DA.py
+++ b/lib/python/Shared/DC/ZRDB/DA.py
@@ -34,7 +34,12 @@ import DocumentTemplate.DT_Util
 from cPickle import dumps, loads
 from Results import Results
 from App.Extensions import getBrain
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 from AccessControl import getSecurityManager
+from AccessControl.Permissions import change_database_methods
+from AccessControl.Permissions import use_database_methods
+from AccessControl.Permissions import view_management_screens
 from AccessControl.DTML import RestrictedDTML
 from webdav.Resource import Resource
 from webdav.Lockable import ResourceLockedError
@@ -73,6 +78,11 @@ class DA(
    ):
    'Database Adapter'
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(use_database_methods)
+    security.setPermissionDefault(use_database_methods,
+                                  ('Anonymous', 'Manager'))
    _col=None
    max_rows_=1000
    cache_time_=0
@@ -96,27 +106,14 @@ class DA(
        +OFS.SimpleItem.Item.manage_options
        )
-    # Specify how individual operations add up to "permissions":
-    __ac_permissions__=(
-        ('View management screens',
-         (
-        'index_html',
-        'manage_advancedForm', 'PrincipiaSearchSource', 'document_src'
-        )),
-        ('Change Database Methods',
-         ('manage_edit','manage_advanced', 'manage_testForm','manage_test',
-          'manage_product_zclass_info', 'PUT')),
-        ('Use Database Methods', ('__call__',''), ('Anonymous','Manager')),
-        )
    def __init__(self, id, title, connection_id, arguments, template):
        self.id=str(id)
        self.manage_edit(title, connection_id, arguments, template)
+    security.declareProtected(view_management_screens, 'manage_advancedForm')
    manage_advancedForm=DTMLFile('dtml/advanced', globals())
-    test_url___roles__=None
+    security.declarePublic('test_url')
    def test_url_(self):
        'Method for testing server connection information'
        return 'PING'
@@ -148,6 +145,7 @@ class DA(
                                arguments_src=arguments,
                                connection_id=connection_id, src=template)
+    security.declareProtected(change_database_methods, 'manage_edit')
    def manage_edit(self,title,connection_id,arguments,template,
                    SUBMIT='Change', dtpref_cols='100%', dtpref_rows='20',
                    REQUEST=None):
@@ -189,6 +187,7 @@ class DA(
        return ''
+    security.declareProtected(change_database_methods, 'manage_advanced')
    def manage_advanced(self, max_rows, max_cache, cache_time,
                        class_name, class_file, direct=None,
                        REQUEST=None, zclass='', connection_hook=None):
@@ -256,6 +255,7 @@ class DA(
    #    """Return content for use by the Find machinery."""
    #    return '%s\n%s' % (self.arguments_src, self.src)
+    security.declareProtected(view_management_screens, 'PrincipiaSearchSource')
    def PrincipiaSearchSource(self):
        """Return content for use by the Find machinery."""
        return '%s\n%s' % (self.arguments_src, self.src)
@@ -265,6 +265,7 @@ class DA(
    default_content_type = 'text/plain'
+    security.declareProtected(view_management_screens, 'document_src')
    def document_src(self, REQUEST=None, RESPONSE=None):
        """Return unprocessed document source."""
        if RESPONSE is not None:
@@ -278,6 +279,7 @@ class DA(
    def get_size(self): return len(self.document_src())
+    security.declareProtected(change_database_methods, 'PUT')
    def PUT(self, REQUEST, RESPONSE):
        """Handle put requests"""
        self.dav__init(REQUEST, RESPONSE)
@@ -297,6 +299,7 @@ class DA(
        return RESPONSE
+    security.declareProtected(change_database_methods, 'manage_testForm')
    def manage_testForm(self, REQUEST):
        " "
        input_src=default_input_form(self.title_or_id(),
@@ -304,6 +307,7 @@ class DA(
                                     '<dtml-var manage_tabs>')
        return DocumentTemplate.HTML(input_src)(self, REQUEST, HTTP_REFERER='')
+    security.declareProtected(change_database_methods, 'manage_test')
    def manage_test(self, REQUEST):
        """Test an SQL method."""
        # Try to render the query template first so that the rendered
@@ -344,6 +348,7 @@ class DA(
        finally: tb=None
+    security.declareProtected(view_management_screens, 'index_html')
    def index_html(self, REQUEST):
        """ """
        REQUEST.RESPONSE.redirect("%s/manage_testForm" % REQUEST['URL1'])
@@ -388,6 +393,7 @@ class DA(
        return result
+    security.declareProtected(use_database_methods, '__call__')
    def __call__(self, REQUEST=None, __ick__=None, src__=0, test__=0, **kw):
        """Call the database method
@@ -500,6 +506,8 @@ class DA(
        return getattr(getattr(self, self.connection_id), 'connected')()
+    security.declareProtected(change_database_methods,
+                              'manage_product_zclass_info')
    def manage_product_zclass_info(self):
        r=[]
        Z=self._zclass
@@ -517,9 +525,7 @@ class DA(
        return r
+InitializeClass(DA)
-Globals.default__class_init__(DA)
@@ -586,4 +592,3 @@ class SQLMethodTracebackSupplement:
    #__implements__ = ITracebackSupplement
    def __init__(self, sql):
        self.object = sql
--- a/lib/python/Testing/ZopeTestCase/ZopeLite.py
+++ b/lib/python/Testing/ZopeTestCase/ZopeLite.py
@@ -153,7 +153,7 @@ def installProduct(name, quiet=0):
                                get_folder_permissions(), raise_exc=1)
                _installedProducts[product_name] = 1
                Products.meta_types = Products.meta_types + tuple(meta_types)
-                Globals.default__class_init__(Folder)
+                Globals.InitializeClass(Folder)
                if not quiet: _print('done (%.3fs)\n' % (time.time() - start))
                break
        else:

--- a/lib/python/ZClasses/Property.py
+++ b/lib/python/ZClasses/Property.py
@@ -17,7 +17,12 @@ import transaction
 import OFS.PropertySheets, Globals, OFS.SimpleItem, OFS.PropertyManager
 import Acquisition
+from Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
 from AccessControl.Permission import pname
+from AccessControl.Permissions import manage_zclasses
+from AccessControl.Permissions import manage_properties
+from AccessControl.Permissions import access_contents_information
 class ClassCaretaker:
    def __init__(self, klass): self.__dict__['_k']=klass
@@ -48,9 +53,10 @@ class ZCommonSheet(OFS.PropertySheets.PropertySheet, OFS.SimpleItem.Item):
         'help':('OFSP','Security_Define-Permissions.stx')},
        )
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('Manage Z Classes', ('', 'manage')),
+    security.declareObjectProtected(manage_zclasses)
-        )
+    security.declareProtected(manage_zclasses, 'manage')
    def __init__(self, id, title):
        self.id=id
@@ -238,7 +244,8 @@ class ZCommonSheet(OFS.PropertySheets.PropertySheet, OFS.SimpleItem.Item):
                self, REQUEST,
                manage_tabs_message='The permission mapping has been updated')
-Globals.default__class_init__(ZCommonSheet)
+InitializeClass(ZCommonSheet)
 property_sheet_permissions=(
    # 'Access contents information',
@@ -250,26 +257,28 @@ class ZInstanceSheet(OFS.PropertySheets.FixedSchema,
                    ):
    "Waaa this is too hard"
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(access_contents_information)
+    security.declareProtected(access_contents_information, 'hasProperty')
+    security.declareProtected(access_contents_information, 'propertyIds')
+    security.declareProtected(access_contents_information, 'propertyValues')
+    security.declareProtected(access_contents_information, 'propertyItems')
+    security.declareProtected(access_contents_information, 'propertyMap')
+    security.declareProtected(manage_properties, 'manage')
+    security.declareProtected(manage_properties, 'manage_addProperty')
+    security.declareProtected(manage_properties, 'manage_editProperties')
+    security.declareProtected(manage_properties, 'manage_delProperties')
+    security.declareProtected(manage_properties, 'manage_changeProperties')
    _Manage_properties_Permission='_Manage_properties_Permission'
    _Access_contents_information_Permission='_View_Permission'
-    __ac_permissions__=(
-        ('Manage properties', ('manage_addProperty',
-                               'manage_editProperties',
-                               'manage_delProperties',
-                               'manage_changeProperties',
-                               'manage',
-                               )),
-        ('Access contents information', ('hasProperty', 'propertyIds',
-                                         'propertyValues','propertyItems',
-                                         'propertyMap', ''),
-         ),
-        )
    def v_self(self):
        return self.aq_inner.aq_parent.aq_parent
-Globals.default__class_init__(ZInstanceSheet)
+InitializeClass(ZInstanceSheet)
 def rclass(klass):
    if not getattr(klass, '_p_changed', 0) and klass._p_jar is not None:
@@ -348,5 +357,4 @@ class ZInstanceSheets(OFS.PropertySheets.PropertySheets, Globals.Persistent):
            r.append(getattr(self, id))
        return propsets+tuple(r)
+InitializeClass(ZInstanceSheets)
-Globals.default__class_init__(ZInstanceSheets)
--- a/lib/python/ZClasses/ZClass.py
+++ b/lib/python/ZClasses/ZClass.py
@@ -13,7 +13,10 @@
 """Zope Classes
 """
 import Globals,  OFS.SimpleItem, OFS.PropertySheets, Products
+from Globals import InitializeClass
 import Method, Basic, Property, AccessControl.Role, re
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import create_class_instances
 from ZPublisher.mapply import mapply
 from ExtensionClass import Base
@@ -220,10 +223,8 @@ class ZClass( Base
    __propsets__=()
    isPrincipiaFolderish=1
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('Create class instances',
+    security.declareObjectProtected(create_class_instances)
-         ('', '__call__', 'index_html', 'createInObjectManager')),
-        )
    def __init__(self, id, title, bases, zope_object=1):
        """Build a Zope class
@@ -343,7 +344,7 @@ class ZClass( Base
        return '*'+id
-    changeClassId__roles__ = ()  # Private
+    security.declarePrivate('changeClassId')
    def changeClassId(self, newid=None):
        if newid is None: newid=self._new_class_id()
        self._unregister()
@@ -442,6 +443,7 @@ class ZClass( Base
    manage_options=ComputedAttribute(manage_options)
+    security.declareProtected(create_class_instances, 'createInObjectManager')
    def createInObjectManager(self, id, REQUEST, RESPONSE=None):
        """
        Create Z instance. If called with a RESPONSE,
@@ -470,6 +472,7 @@ class ZClass( Base
        else:
            return folder._getOb(id)
+    security.declareProtected(create_class_instances, 'index_html')
    index_html=createInObjectManager
    def fromRequest(self, id=None, REQUEST={}):
@@ -487,6 +490,7 @@ class ZClass( Base
                i.id = id
        return i
+    security.declareProtected(create_class_instances, '__call__')
    def __call__(self, *args, **kw):
        return apply(self._zclass_, args, kw)
@@ -511,7 +515,7 @@ class ZClass( Base
        r.sort()
        return r
-    getClassAttr__roles__ = ()  # Private
+    security.declarePrivate('getClassAttr')
    def getClassAttr(self, name, default=_marker, inherit=0):
        if default is _marker:
            if inherit: return getattr(self._zclass_, name)
@@ -521,7 +525,7 @@ class ZClass( Base
            else: return self._zclass_.__dict__[name]
        except: return default
-    setClassAttr__roles__ = ()  # Private
+    security.declarePrivate('setClassAttr')
    def setClassAttr(self, name, value):
        c=self._zclass_
        setattr(c, name, value)
@@ -529,7 +533,7 @@ class ZClass( Base
            transaction.get().register(c)
            c._p_changed=1
-    delClassAttr__roles__ = ()  # Private
+    security.declarePrivate('delClassAttr')
    def delClassAttr(self, name):
        c=self._zclass_
        delattr(c, name)
@@ -559,12 +563,11 @@ class ZClass( Base
        return (self.classDefinedPermissions()+
                self.classInheritedPermissions())
+    security.declarePublic('ziconImage')
    def ziconImage(self, REQUEST, RESPONSE):
        "Display a class icon"
        return self._zclass_.ziconImage.index_html(REQUEST, RESPONSE)
-    ziconImage__roles__=None
    def tpValues(self):
        return self.propertysheets.common, self.propertysheets.methods
@@ -619,6 +622,9 @@ class ZClass( Base
                    values.remove( value )
        return values
+InitializeClass(ZClass)
 class ZClassSheets(OFS.PropertySheets.PropertySheets):
    "Manage a collection of property sheets that provide ZClass management"

--- a/lib/python/ZClasses/ZClassOwner.py
+++ b/lib/python/ZClasses/ZClassOwner.py
@@ -13,6 +13,7 @@
 """Zope Classes
 """
 import ExtensionClass, Globals, ZClass, Products
+from Globals import InitializeClass
 def manage_subclassableClassNames(self):
    r={}
@@ -43,5 +44,4 @@ class ZClassOwner(ExtensionClass.Base):
    manage_subclassableClassNames=manage_subclassableClassNames
+InitializeClass(ZClassOwner)
-Globals.default__class_init__(ZClassOwner)
--- a/lib/python/webdav/Collection.py
+++ b/lib/python/webdav/Collection.py
@@ -17,7 +17,7 @@ $Id$
 from urllib import unquote
-import Globals
+from Globals import InitializeClass
 from AccessControl import getSecurityManager
 from zExceptions import MethodNotAllowed, NotFound
 from zope.interface import implements
@@ -142,4 +142,4 @@ class Collection(Resource):
            return objectValues()
        return []
-Globals.default__class_init__(Collection)
+InitializeClass(Collection)
--- a/lib/python/webdav/NullResource.py
+++ b/lib/python/webdav/NullResource.py
@@ -18,9 +18,14 @@ $Id$
 import sys
 import Acquisition, OFS.content_types
-import Globals
+from Globals import InitializeClass
 import OFS.SimpleItem
 from AccessControl import getSecurityManager
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import view as View
+from AccessControl.Permissions import add_folders
+from AccessControl.Permissions import webdav_lock_items
+from AccessControl.Permissions import webdav_unlock_items
 from Globals import Persistent, DTMLFile
 from OFS.CopySupport import CopyError
 from zExceptions import MethodNotAllowed
@@ -43,11 +48,7 @@ class NullResource(Persistent, Acquisition.Implicit, Resource):
    __implements__ = (WriteLockInterface,)
    __null_resource__=1
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('View',                             ('HEAD',)),
-        ('Add Folders',                      ('MKCOL',)),
-        ('WebDAV Lock items',                ('LOCK',)),
-    )
    def __init__(self, parent, name, request=None):
        self.__name__=name
@@ -64,6 +65,7 @@ class NullResource(Persistent, Acquisition.Implicit, Resource):
            raise Conflict, 'Collection ancestors must already exist.'
        raise NotFound, 'The requested resource was not found.'
+    security.declareProtected(View, 'HEAD')
    def HEAD(self, REQUEST, RESPONSE):
        """Retrieve resource information without a response message body."""
        self.dav__init(REQUEST, RESPONSE)
@@ -89,7 +91,7 @@ class NullResource(Persistent, Acquisition.Implicit, Resource):
            ob=File(name, '', body, content_type=typ)
        return ob
-    PUT__roles__ = ('Anonymous',)
+    security.declarePublic('PUT')
    def PUT(self, REQUEST, RESPONSE):
        """Create a new non-collection resource.
        """
@@ -166,6 +168,7 @@ class NullResource(Persistent, Acquisition.Implicit, Resource):
        RESPONSE.setBody('')
        return RESPONSE
+    security.declareProtected(add_folders, 'MKCOL')
    def MKCOL(self, REQUEST, RESPONSE):
        """Create a new collection resource."""
        self.dav__init(REQUEST, RESPONSE)
@@ -201,6 +204,7 @@ class NullResource(Persistent, Acquisition.Implicit, Resource):
        RESPONSE.setBody('')
        return RESPONSE
+    security.declareProtected(webdav_lock_items, 'LOCK')
    def LOCK(self, REQUEST, RESPONSE):
        """ LOCK on a Null Resource makes a LockNullResource instance """
        self.dav__init(REQUEST, RESPONSE)
@@ -252,8 +256,7 @@ class NullResource(Persistent, Acquisition.Implicit, Resource):
            RESPONSE.setHeader('Lock-Token', 'opaquelocktoken:' + token)
            RESPONSE.setBody(lock.asXML())
+InitializeClass(NullResource)
-Globals.default__class_init__(NullResource)
 class LockNullResource(NullResource, OFS.SimpleItem.Item_w__name__):
@@ -266,17 +269,14 @@ class LockNullResource(NullResource, OFS.SimpleItem.Item_w__name__):
    __locknull_resource__ = 1
    meta_type = 'WebDAV LockNull Resource'
-    __ac_permissions__ = (
+    security = ClassSecurityInfo()
-        ('WebDAV Unlock items',              ('UNLOCK',)),
-        ('View',                             ('manage_main',
-                                              'manage_workspace', 'manage')),
-        ('Add Folders',                      ('MKCOL',)),
-        ('WebDAV Lock items',                ('LOCK',)),
-        )
    manage_options = ({'label': 'Info', 'action': 'manage_main'},)
+    security.declareProtected(View, 'manage')
+    security.declareProtected(View, 'manage_main')
    manage = manage_main = DTMLFile('dtml/locknullmain', globals())
+    security.declareProtected(View, 'manage_workspace')
    manage_workspace = manage
    manage_main._setName('manage_main')  # explicit
@@ -291,7 +291,7 @@ class LockNullResource(NullResource, OFS.SimpleItem.Item_w__name__):
        self.id = self.__name__ = name
        self.title = "LockNull Resource '%s'" % name
-    title_or_id__roles__=None
+    security.declarePublic('title_or_id')
    def title_or_id(self):
        return 'Foo'
@@ -299,6 +299,7 @@ class LockNullResource(NullResource, OFS.SimpleItem.Item_w__name__):
        """Retrieve properties defined on the resource."""
        return Resource.PROPFIND(self, REQUEST, RESPONSE)
+    security.declareProtected(webdav_lock_items, 'LOCK')
    def LOCK(self, REQUEST, RESPONSE):
        """ A Lock command on a LockNull resource should only be a
        refresh request (one without a body) """
@@ -336,6 +337,7 @@ class LockNullResource(NullResource, OFS.SimpleItem.Item_w__name__):
        return RESPONSE
+    security.declareProtected(webdav_unlock_items, 'UNLOCK')
    def UNLOCK(self, REQUEST, RESPONSE):
        """ Unlocking a Null Resource removes it from its parent """
        self.dav__init(REQUEST, RESPONSE)
@@ -362,7 +364,7 @@ class LockNullResource(NullResource, OFS.SimpleItem.Item_w__name__):
            RESPONSE.setStatus(204)
        return RESPONSE
-    PUT__roles__ = ('Anonymous',)
+    security.declarePublic('PUT')
    def PUT(self, REQUEST, RESPONSE):
        """ Create a new non-collection resource, deleting the LockNull
        object from the container before putting the new object in. """
@@ -437,6 +439,7 @@ class LockNullResource(NullResource, OFS.SimpleItem.Item_w__name__):
        RESPONSE.setBody('')
        return RESPONSE
+    security.declareProtected(add_folders, 'MKCOL')
    def MKCOL(self, REQUEST, RESPONSE):
        """ Create a new Collection (folder) resource.  Since this is being
        done on a LockNull resource, this also involves removing the LockNull
@@ -484,4 +487,4 @@ class LockNullResource(NullResource, OFS.SimpleItem.Item_w__name__):
        RESPONSE.setBody('')
        return RESPONSE
-Globals.default__class_init__(LockNullResource)
+InitializeClass(LockNullResource)
--- a/lib/python/webdav/Resource.py
+++ b/lib/python/webdav/Resource.py
@@ -20,8 +20,15 @@ import sys
 from urllib import unquote
 import ExtensionClass
-import Globals
+from Globals import InitializeClass
 from AccessControl import getSecurityManager
+from AccessControl import ClassSecurityInfo
+from AccessControl.Permissions import delete_objects
+from AccessControl.Permissions import manage_properties
+from AccessControl.Permissions import view as View
+from AccessControl.Permissions import webdav_lock_items
+from AccessControl.Permissions import webdav_unlock_items
+from AccessControl.Permissions import webdav_access
 from Acquisition import aq_base
 from zExceptions import BadRequest, MethodNotAllowed
 from zExceptions import Unauthorized, Forbidden
@@ -56,16 +63,8 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
                      'MOVE', 'LOCK', 'UNLOCK',
                      )
-    __ac_permissions__=(
+    security = ClassSecurityInfo()
-        ('View',                             ('HEAD',)),
+    security.setPermissionDefault(webdav_access, ('Authenticated', 'Manager'))
-        ('WebDAV access',                    ('PROPFIND', 'manage_DAVget',
-                                              'listDAVObjects'),
-         ('Authenticated', 'Manager')),
-        ('Manage properties',                ('PROPPATCH',)),
-        ('Delete objects',                   ('DELETE',)),
-        ('WebDAV Lock items',                ('LOCK',)),
-        ('WebDAV Unlock items',              ('UNLOCK',)),
-    )
    def dav__init(self, request, response):
        # Init expected HTTP 1.1 / WebDAV headers which are not
@@ -158,6 +157,7 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
    # WebDAV class 1 support
+    security.declareProtected(View, 'HEAD')
    def HEAD(self, REQUEST, RESPONSE):
        """Retrieve resource information without a response body."""
        self.dav__init(REQUEST, RESPONSE)
@@ -197,7 +197,7 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
        self.dav__init(REQUEST, RESPONSE)
        raise MethodNotAllowed, 'Method not supported for this resource.'
-    OPTIONS__roles__=None
+    security.declarePublic('OPTIONS')
    def OPTIONS(self, REQUEST, RESPONSE):
        """Retrieve communication options."""
        self.dav__init(REQUEST, RESPONSE)
@@ -207,7 +207,7 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
        RESPONSE.setStatus(200)
        return RESPONSE
-    TRACE__roles__=None
+    security.declarePublic('TRACE')
    def TRACE(self, REQUEST, RESPONSE):
        """Return the HTTP message received back to the client as the
        entity-body of a 200 (OK) response. This will often usually
@@ -218,6 +218,7 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
        self.dav__init(REQUEST, RESPONSE)
        raise MethodNotAllowed, 'Method not supported for this resource.'
+    security.declareProtected(delete_objects, 'DELETE')
    def DELETE(self, REQUEST, RESPONSE):
        """Delete a resource. For non-collection resources, DELETE may
        return either 200 or 204 (No Content) to indicate success."""
@@ -256,6 +257,7 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
        return RESPONSE
+    security.declareProtected(webdav_access, 'PROPFIND')
    def PROPFIND(self, REQUEST, RESPONSE):
        """Retrieve properties defined on the resource."""
        self.dav__init(REQUEST, RESPONSE)
@@ -273,6 +275,7 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
        RESPONSE.setBody(result)
        return RESPONSE
+    security.declareProtected(manage_properties, 'PROPPATCH')
    def PROPPATCH(self, REQUEST, RESPONSE):
        """Set and/or remove properties defined on the resource."""
        self.dav__init(REQUEST, RESPONSE)
@@ -300,7 +303,7 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
        self.dav__init(REQUEST, RESPONSE)
        raise MethodNotAllowed, 'The resource already exists.'
-    COPY__roles__=('Anonymous',)
+    security.declarePublic('COPY')
    def COPY(self, REQUEST, RESPONSE):
        """Create a duplicate of the source resource whose state
        and behavior match that of the source resource as closely
@@ -406,7 +409,7 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
        RESPONSE.setBody('')
        return RESPONSE
-    MOVE__roles__=('Anonymous',)
+    security.declarePublic('MOVE')
    def MOVE(self, REQUEST, RESPONSE):
        """Move a resource to a new location. Though we may later try to
        make a move appear seamless across namespaces (e.g. from Zope
@@ -522,6 +525,7 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
    # WebDAV Class 2, Lock and Unlock
+    security.declareProtected(webdav_lock_items, 'LOCK')
    def LOCK(self, REQUEST, RESPONSE):
        """Lock a resource"""
        self.dav__init(REQUEST, RESPONSE)
@@ -581,6 +585,7 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
        return RESPONSE
+    security.declareProtected(webdav_unlock_items, 'UNLOCK')
    def UNLOCK(self, REQUEST, RESPONSE):
        """Remove an existing lock on a resource."""
        self.dav__init(REQUEST, RESPONSE)
@@ -601,12 +606,14 @@ class Resource(ExtensionClass.Base, Lockable.LockableItem):
        return RESPONSE
+    security.declareProtected(webdav_access, 'manage_DAVget')
    def manage_DAVget(self):
        """Gets the document source"""
        # The default implementation calls manage_FTPget
        return self.manage_FTPget()
+    security.declareProtected(webdav_access, 'listDAVObjects')
    def listDAVObjects(self):
        return []
-Globals.default__class_init__(Resource)
+InitializeClass(Resource)