I had posted about this previously, but no one has tackled this one, it seems to be a pretty serious issue, plus I've done a *lot* of poking around and learned a few things since I first reported it. What I have *not* found (or been told) is that the below described behavior is normal. First a simple exercise for those who would like to avoid my laborious novice Zoper description and just ferret out the likely bug: Create a fresh CVS copy of Zope on your *nix box. Build it (python wo_pcgi.py), configure 'start' with the ports of your choosing, set a superuser password, start Zope and try to visit the /index_html page. What I'm getting at that point is a BASICAUTH login box. One has to explicitly enable anonymous permissions on the index_html page in order to view it without logging in. I've read through all the security model discussion I could find, but saw no discussion of this issue. If somehow this behavior is intentional, I would greatly appreciate a clue to that effect. (Some response either way would be nice, actually...) Based on my recent flailings with LoginManager and finally, stock acl_users in Zope v2.2.cvs, it seems there this problem relates to the "scope" of acl_users and/or its parent folder not including the objects within. The security settings of the parent folder are apparently not regarded in determining access to objects within. Instead, acl_users is only impacting its sibling objects (and presumably their child objects). Apologies if I'm making the wrong noises in the wrong place in the wrong way. Any help or pointers welcome. -cw- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Charlie Wilkinson - cwilkins@boinklabs.com - N3HAZ Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer... Visit the Radio For Peace International Website: http://www.rfpi.org/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CLOBBER INTERNET SPAM: See!! <http://spam.abuse.net/> Join!! <http://www.cauce.org/> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ QOTD: "Bush is a big corporation disguised as a human being running for president." -- Ralph Nader on David Letterman (9/28/00)