Finally... I'm not convinced the new security stuff deals properly with attributes other than simple methods. here's the evidence, again from Squishdot (guess what I've been doing ;-) You remember the Posting class? Well, Posting's objects have a text attribute called 'subject' Unless you have __allow_access_to_unprotected_subobjects__=1, you get the following error after you hit cancel on the authentication dialog box that pops up: (well, I was getting an unauthorized error on subject, now I just get no response from the server, not even an password dialog box :( That's really bad...) Anyway, on to the next example... If you modify Squishfile by adding and: __ac_permissions__=( ('View', ['file_name', 'file_type', 'content_type', 'file_bytes', 'file_kbytes', 'date_created', 'date_modified','icon','index_html'], ('Anonymous', 'Manager')), ) and a: Globals.default__class_init__(Squishfile) at the end, things should work fine, of course they don't. Right now, I'm just getting no response from the server, what I was getting (which was better ;-) is an unauthorized error on 'icon'. icon is defined in Squishfile as follows: icon='misc_/Squishdot/squishfile_img' ...and is protected by the 'View' permission as you can see above. What is going on ?! Chris PS: When do you and do you not mix in RoleManager? What does it do and when is it needed? PPS: If anyone wants to test this for themselves, let me know and I'll check my code into the Squishdot public CVS (on a branch! ;-)