With an object path /A/B/C where C has a local role allowing a user to view C but where B disallows acquisition of the View permission, the publisher correctly allows the user to see C. However restrictedTraverse('/A/B/C') fails ("You are not allowed to access B in this context"). This is because restrictedTraverse checks the security (using "validate") at *every* step, and obviously the user is not allowed to see B. Is there a reason for this ? Why not simply validate only at the last step ? I have the need to programatically access object protected in such a way. The workaround I'm going to use in my code for now is to call unrestrictedTraverse and validate() by hand the resulting object. But I'm concerned that there may be a more profound security reason I'm missing. Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com