The default portal property "permissions.view.dynamic.inheritance=true" should cause the portal server to check "the view permission on the document's folder and all its parent folders." (quote from portal properties)
However, that does not work.
1. Login as administrator
2. Create folder "files" in document library and revoke all permissions from that folder except the owner permissions
3. Create subfolder "images" in folder "files" with guest view and access permissions
4. Add some file to folder "images" with guest view permission
5. Place search portlet on home page
7. Search for the filename of the uploaded file
Result: The search returns the file entry and the file can be downloaded.
Expected: The search should return no results and the file entry should not be accessible as the guest user does not have access or view permission on the top folders
The reason of this is while the permission check for the view action coalesces to the parent folder, the check for access action does not.