* You can raise a string "Unauthorized" to create a 401 Error
* The user you get via sm.getUser reflects the login/password passed
by the browser, not the
user actually needed - that means that a script can be accessible
by 'view', and still can raise
an 401 from inside
* The security declarations are made within the class of the
objects, usually on the instances
as well as on methods - via security.declareProtected

Questions:

* Whats the purpose of __ac_permissions, as found in PropertyTools