Nowadays, there may be other (more modern) ways to handle such use cases. Some objects (I think,
Products.CMFCore.Folder.Folder objects and therefor Plone site objects) look for
IBeforePublishing (or similarly spelled) subscription adapters and call them (look at the
Folder source code). This has the advantage (over an "access rule") that a single subscription adapter registration can handle all your sites.
Whether you use a subscription adapter or an "AccessRule", I would register a post traversal hook (-->
request.post_traverse, defined in
ZPublisher.BaseRequest.BaseRequest). Such a hook is called after the traversal is finished. In this hook, I would (essentially) verify that
request["PUBLISHED"] is in the context of the initial portal (-->
aq_inContextOf, defined (and documented) in
Acquisition). Note that the real published object may be a method; in this case, you cannot use the object itself for the "in context check" but must use its
No guarantees that following the recipe above works as expected. If you use a subscription adapter, then commenting the registration and restarting would allow you to recover.
There used to be an envvar to disable "AccessRules", but, apparently, this is no longer the case. This means that if you do something wrong with an "AccessRule", you may need to use non standard ways (e.g.
bin/instance debug and low level API) to get rid again of the broken "AccessRule".