Phillip J. Eby writes:

LoginManager will behave just like your outline, if you give it a BasicCookie LoginMethod, and a BasicAuth LoginMethod, in that order. LoginManager does not climb up the acquisition hierarchy, as that is properly the province of ZPublisher to do. It will provide the anonymous user, if it is a top-level user folder.

You're right if course. I just didn't realize that the PTK was set up to require cookie logins, so I was trying to avoid them and solve the simpler piece of the problem first :-( Oh well, that's working fine now. I can log in, but it looks like permissions aren't getting set/propagated correctly: The initial management user is created with roles: ['Member', 'Manager', 'Reviewer'] My PersistentUserSource returns this list correctly as the roles list. All of the following are in Zope 2.1.6: 1. If I create the Portal as superuser with the Portal manager having the same username as me, then log in to the portal in a new browser I can see my folder but don't even have the permission to create new objects in it. 2. If I create the Portal as me, a site Manager, with the Portal manager having my user name, then log in as above, I can create objects but clearly don't have Reviewer rights. 3. If I create the Portal as me with the Portal manager having another username, then log in as above, it's just like the first case. I can see my folder but can't create anything in it. Any idea what I'm doing wrong now?