[Zope] Python Script Security Question

[Tom Nichols]

I don't seem to understand the Security applied to a script. 

I have a file object named config.  It has an integer property
next_person_id. I use it to create ids for some other objects. It gets
incremented and used.

I have a python script named next_personID which is called from another
script against the file config.  It should increment the next_person_id
property of the config object and then return the new value of the
property. This script and the one that calls it are owned by a user with
the manager security role.  
 
Here is the script:

	The python script next_personID is 
	
	"""
	Increment the next person_id and return it
	"""
	
	# Increment the ID
	id = context.next_person_id + 1
	
	# Update the stored ID
	context.manage_changeProperties(next_person_id=id)
	
	#return the ID as a string with a p_ prefix
	return "p_" + str(id)

When another user who does not have the manager role runs the script
that calls this one against the config object, this script fails because
the user does not have permission to do the manage_changeProperties
call. 

If I add 'manage properties' permission on the object config to a role
this user has, then the script runs properly. 

So it appears to me that the script runs with the user's permission
rather than the owners' permission (which I expected). 

Can anyone help me understand why the script doesn't run with its
owners' (a manager) permission to manage properties?

Thanks,

Tom Nichols
tom@westlong.com