Hi, I'm playing around with building a cookie-based authentication Zope product, and I've been learning a lot about users, roles, local roles and proxy roles ... So I was wondering if my understanding of the proposed Owner role (given that documentation is very scanty) is correct, incorrect, or simply needs clarification. The thing is, my setup is working, but who knows what bugs may lie just around the corner, merely because I misunderstand the concepts... (and since I'm dealing with an authentication product, is *_specially_* important). I'm using the Owner role in the context of allowing a user to change his/her passwords. I suppose I could create another role to fulfill this, so its really not a big deal if I shouldn't be using the Owner role for this purpose: So this is my setup : 1. For a given Folder for which I am creating my cookie-based UserFolder (named acl_users, of course) I create a role known as a cookieLoggedUser. All users that are created in acl_users have the cookieLoggedUser role automatically added to their roles profile (and cannot be deleted). 2. In this Folder, there are dtml methods to allow you to login/logout etc. (they are working fine and are of no importance to the issue at hand) When users log in, they acquire the role of cookieLoggedUser (along with the other roles defined for their user id, of course). 3. the acl_users permissions are modified to allow the 'Owner' role the privilege to "manage_users". (Is this advisable or is this a big security hole?) 4. I have a DTML method that displays the Change Password form (it submits the page to itself and I use a hidden form variable to check whether it should process the form or not). 5. This method has its permissions set so that only users with the cookieLoggedUser role can 'view' it or 'access contents information'. This means that Anonymous users can't see this page unless they log in first, in which case they acquire the cookieLoggedUser role. 6. The processing DTML code calls the acl_users methods to change the password (and has safeguards against logged-in users from changing anybody else's passwords except their own). Because they access the acl_user's methods which require 'manage_user' privileges, I gave this method a proxy role of 'Owner' so that it can execute these privileged methods. Some notes: a. I don't *_have_* to use the Owner role for this purpose. (I could easily create another role expressly just for accessing the acl_users privileged methods and my system would still work) but I do want to understand if the 'Owner' role is meant to be used in this context or not. b. If you give a user the Owner role, (along with the view management screens, of course), you allow him/her the privilege to 'manage_users'. My understanding is that you normally *_dont_* give this role out to any ordinary user? If this is incorrect, then my whole theory sinks down the drain... OTOH, if I'm incorrect, then just what the heck is the 'Owner' role for? c. I've thought about possible security holes and think (given the levels of security HTTP protocols can give, of course) it's fairly secure. It could be made more secure by encrypting the cookie better and providing a secure channel (i.e. SSL). d. I'd really like to hear the opinions of those in the know, especially about how we should use the 'Owner role' (of course, we can use it for any purpose we want to, but I want to know the *_right_* way to use it, i.e., the way it's meant to be used). Thanks in advance, Butch Landingin butchland@yahoo.com _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com