With 77d1e75f...3e0135b39a commits we add some security fixes and improvements to PyLucid v0.9.0.0715:

• Filter page permission in the right way.
• raise PermissionDenied if current user isn't in the right user group.
• User can't create a unprotected page below a protected page.
• Warn user if page permissions mismatch with sub pages.

handle all this for:

• PageTree.permitViewGroup
• PageTree.permitEditGroup
• PageMeta.permitViewGroup

Some Background information:

PyLucid will not check the complete page tree, to prevent that a user see a unprotected page below a protected page! But since now, you can't create unprotected page below a protected page. So a complete tree check is not really needed.
Note: Old mismatched permissions would not be correct automatically!

disadvantage of this changes:

You can't mix permission in a page tree branch :( Because a sub page must have the same permission as this parent, except it's a root page :)
So you can't create a "1. internal section" with view group "users a" and add some "1.2. secrets subpages" with group "admins b", because PyLucid can't know which user group is for more important people.

Yes, we can only check if current page has any user group if parent has a user group. But we will protect you from open a "special interest" page for "normal users" ;)

I add a example how to create a secret page section in the docu pages.

Please leave a comment if you have some notes ;)