In writing my NT domain authentication folder, I'm having some problems deriving a new user folder product. Everything works, _except_ Zope refuses to authorize the user, even though the authentication technically succeeds; I see that object traversal accepts the user, but it's Zope's document rendering thing that denied the authorization. The problem seems to boil down to a problem with BasicUser and its allowed() method. If I override BasicUser's allowed() method (which is aliased as "hasRole") and explicitly return 1, no problem. What's weird is that Zope's implementation of BasicUser.allowed() actually raises an exception, and this is the reason that it does not validate the role: Traceback (innermost last): File "\tools\zope\lib\python\AccessControl\User.py", line 204, in allowed if not parent.aq_inContextOf(self.aq_parent.aq_parent,1): AttributeError: aq_inContextOf It's the damndest thing. I'm thinking perhaps my user instance is acquisition-crippled, but my folder's validate() method _is_ doing this: User = User.__of__(self) ... return User If it's of any relevance, I've used the etcFolderUser product as a template. I'm sure it's pretty simple. If need be I can send the actual code. -- Alexander Staubo http://www.mop.no/~alex/ "Give me an underground laboratory, half a dozen atom smashers and a beautiful girl in a diaphanous veil waiting to be turned into a chimpanzee, and I care not who writes the nation's laws." --S. J. Perelman