Okay, next up, if it's a security error, it should throw a security error! :( Squishdot Posting's can have file attachments. class Posting(Persistent, Implicit,RoleManager): ... # protected by 'View' permission def attachment(self): file=self.file return file and (file,) or None ... These are stored as attributes in a totally un-security aware class: class Squishfile(Acquirer,Persistent): def file_name(self): return self._name ... posting_html is a DTML method and, in 2.2, fails is this bit (which used to work! ;-): <dtml-if attachment> <dtml-in attachment> <A HREF="./<dtml-var file_name url_quote>"> <IMG SRC="<dtml-var SCRIPT_NAME >/<dtml-var icon>" HEIGHT="16 WIDTH="16" BORDER="0" ALT="Click to download attachment"></A> <A HREF="./<dtml-var file_name url_quote>"><dtml-var file_name></A> <dtml-var file_kbytes>KB (<dtml-var file_bytes> bytes)<BR> </dtml-in attachment><BR> </dtml-if attachment> However, the error is rather strange: Error Type: KeyError Error Value: file_name (traceback in PS) This, believe it or not, is actually a security error, since I can make it go away by mixing RoleManager into Squishfile and adding __allow_access_to_unprotected_subobjects__=1 to the class. Why do I get this, which I presume is due to file_name not being available in the stacked namespaces, rather than a security dialog box? confusedly, Chris PS: The above code works fine in the management interface, without any changes to Squishfile, which was the subejct fo my previous post.