diff -r 0c6f2f866202 -r 782b27eaf97a selectors.py
--- a/selectors.py	Tue Jul 06 09:41:19 2010 +0200
+++ b/selectors.py	Tue Jul 06 11:31:34 2010 +0200
@@ -883,10 +883,13 @@
         if self.target_etype is not None:
             try:
                 rdef = rschema.role_rdef(eschema, self.target_etype, self.role)
-                if self.action and not rdef.may_have_permission(self.action, req):
-                    return 0
             except KeyError:
                 return 0
+            if self.action and not rdef.may_have_permission(self.action, req):
+                return 0
+            teschema = req.vreg.schema.eschema(self.target_etype)
+            if not teschema.may_have_permission('read', req):
+                return 0
         elif self.action:
             return rschema.may_have_permission(self.action, req, eschema, self.role)
         return 1
@@ -903,6 +906,10 @@
                     return 0
             elif not rschema.has_perm(entity._cw, self.action, toeid=entity.eid):
                 return 0
+        if self.target_etype is not None:
+            teschema = entity._cw.vreg.schema.eschema(self.target_etype)
+            if not teschema.may_have_permission('read', req):
+                return 0
         return 1