There's an insufficiently guarded operation in User.py def allowed(self, parent, roles=None): ... # This is a method, grab it's self. parent=parent.im_self if hasattr(parent, 'aq_inContextOf') and not parent.aq_inContextOf(self.aq_parent.aq_parent,1): if 'Shared' in roles: # Damn, old role setting. Waaa ... I've added the hasattr(parent, 'aq_inContextOf') to make sure that the second clause is reasonable. I'm not sure of the process of submitting fixes, etc, hopefully this will go to the right place.