ok. thanks for a nudge from Martijn I whipped out the trusty debugger and confirmed my worse fears. I have a DTML Method that is a view of a object. I'm using CMF and dont want the person to have to log in to submit content. so what I did was.. say ok. I will create 2 Script (Pythons) that are Proxied at a Management Role, A) creates a new content object, then displays the edit_form, B) submits the edit_form and updates the new instances ;). This is a valid use-case of the CMF. How I think this should be done is creating a PUBLIC user where unreviewed objects go, when they are submitted they are set to review_status of pending. when they are published they are moved into another folder. My Script (Python) -- which is Proxied w/ all roles: creates the new object and then calls a method, getEditView (which is accessible by Public) on my instance, which returns the edit_form, DTML Method called with the instance as the client and the current REQUEST. Now when this DTML Method is called it gets a new SecurityContext. and the new SecurityContext doesnt care about my Proxied roles. (it takes in 0 consideration of this, and this should be noted in the developer guide). Because the Context only cares about *who is calling*, which isnt the Proxy role but the actual user, Anonymous User. ** Thus when its rendering the DTML Method its rendering as Anonymous not as my Proxied Script (Python) and when it hits a this() it horks with a Not Authorized.** <- I'm quite sure how True this is. It appears that when i'm going through the security machinery the 'anExecutableObject' (which is the DTML Method) *has* my proxies roles. BTW: I cant call manage_proxy on the DTML Method, because that also only cares about *who is calling* and the Anonymous Role doesnt do much good for me (if I try 'Manager' or something it correctly complains that I do not have that proxy role). It appears that my DTML Method needs a _customSecurityPolicy. It seems the publishing machinery publishes: Script (Python), then MyDTMLMethod, then the header that MyDTMLMethod uses. do I need a customSecurityPolicy to attach to my DTMLMethods so that they can run in the same security context (which I would like to be, God -- remember they are submitting to a Script(Python) which is doing all the heavy lifting, the rendering is being returned by the Script(Python), so it would be fine if I had a "lets this Publishing Event occur as God" Q: when my header says _.hasattr(this(), 'someAttr') <- this() is the dtml_method(client, request) client reference, correct? this has caused me very much heartache. ;( and emotional damage ;'( I'm very confused and discourgaged right now. If I told you how long i've spent on this you would cringe. My end goal is to make a CMF product where peopel submit resumes/job postings (this works just fine w/ members logged in). but I need people who are not members to be able to submit job postings. ( so they need to be able to create and edit the entry for it to be pushed to a review status. ) I am trying to do this w/o changing my Objects because I want to be able to come up w/ a idiom of doing this for all CMF objects (since you may want people who are not members to submit Calendar Events, for instance). if im not giving enough information please help. I'm willing to spend time doing this. I am so far down this road and I've committed to someone i would have it done. any help would be appreciated, ~runyaga