In previous versions of Zope, it was possible to do "setuid" code by setting AUTHENTICATED_USER to a new user, then resetting when code completed. Zope 2.2 loses this ability, as it has absolutely no API for setting or stacking the "current user", without completely replacing the ZopeSecurityPolicy. This is problematic for things like GUF and GUS which want to execute certain through-the-web objects *as* a particular user. Not as a mask between that user and the current user, but *as* that user, because the object is in the process of finding out what roles the logging-in user has. Currently, it would seem the only way to do this in bounds of the current ZopeSecurityPolicy is to poke into getSecurityManager()._context.user, which seems like a bad idea. There is already a getUser() method on the SecurityManager; Should there perhaps be a setUser() (or _setUser()) method as well?