Hi, This comes from a chat on #zope and some worries I've had since the server side issue was raised. Unless I'm mistaken, the new security model doesn't solve the issue because ownership isn't changed by editing. Lets take the example of a ZWiki page which executes any DTML in its contents when it is rendered. Jim in a Manager Paul is a Manager DrEvil has the ability to edit ZWiki Pages, but not call the DEE (Delete Everything, Everywhere ;-) Method So, Jim comes along an creates a ZWiki Page describing the new security model. DrEvil comes along, edits the page and plants a <dtml-call "DEE(backup='no')"> in the page. He can't view this page since, as I understand it, code is executed with the lower of the owner and the viewer's permissions. Paul comes along to read the new ZWiki page, and IIUC, inadvertently executes DEE and deletes everything, everywhere, because he is a manager, and Jim (still the owner) is a manager and so DEE executes. Have I missed something? cheers, Chris