check_permission is (incorrectly) use security adapters which can check the wrong users permissions

Security adapters are the classes in security.py that adapt to IAuthorization by inheriting from Authorization base. These implement "checkAuthenticated" which gets passed a "user" object. Calling "check_permission" in such an adapter does not pass that user object on to the next adapter but instead will pick the user from the current Zope interaction. Although it is very likely that this will be the same user it still seems wrong because nothing does stop the code from checking permissions for a completely different user than originally requested.

The correct way is to use "getAdapter" to find the right security adapter to refer to and call "checkAuthenticated" on it, passing on the original user object. A helper function (or method on Authoriazation base) to wrap that would be make this easy, too.