"Evan Simpson" wrote Hm, in that case, wouldn't that then just recurse back through the parent folders looking for additional access controls?
Exactly :-) This can allow authentication to succeed at a higher level, while still giving you the nice inner Login page if it fails at all levels.
This isn't necessarily desirable in all cases, and you can't even *get* a basic authentication dialog when there's an inner cookie-based acl_users unless you define a method which explicitly throws 'LoginRequired'. It's still an improvement on the current default situation, though.
Should auth behave this way, tho? Should a top level acl_users take precedence over a lower level one? Doesn't that kill the ability of a manager of a subfolder to delegate control to their own users? Anthony