Hi! I am trying to get into understanding the Zope security machinery (Zope 2.4), and it seems to not quite do things as expected: I have a Folder hierarchy like this: ROOT --FOLDER - In ROOT I have a method "title" and the "index_html" method - I have a user "Charly" that has ther role "TitleViewer" in a user folder in FOLDER - the method "title" has View permissions linked to "TitleViewer" and "Manager" - the "index_html" method contains a string "<dtml-var title missing>" Now I go to http://.../ROOT/FOLDER/index_html. My user is "Charly". I would expect to see the title now, but I don't. If I remove the "missing" from the <dtml-var title>, I will get a key error for "title". The funny thing is: http://.../ROOT/FOLDER/title will work fine ... Also, if the user is in the ROOT folder, everything works fine. But then I can't really do what I want, i.e. restrict permissions to the FOLDER folder ... What is wrong there? I don't have a clue what Zope protects why and how. I always thought I knew about Zope security. But as soon as I add local roles or local user folders, things become very strange. I mean, if the idea is that the user must have the "TitleViewer" role in ROOT to see title, then http://.../ROOT/FOLDER/title should not work (but it does). But if the idea is that objects are acquired first and then user roles are checked against them, http://.../ROOT/FOLDER/index_html should display the title stuff (but it does not). Cheers Joachim