recently I noticed that methods for retrieving user roles are affected by the URL from which the user logged in using basic authentication (as opposed to the location of the user account). I don't see any authentication-related cookies at all from ZOPE, session or otherwise, just basic http authorization. the problem is this: if one authenticates at a location deeper than their user account, authorization should apply up to the level of the account. it does - any method requiring authorization is allowed to run between the point of login and the user account - but when I test with *any* of these routines between the point of login and the user account it shows only 'Anonymous' - not the expected roles. user.getRoles() _.SecurityGetUser().getRoles() user.has_role( roleName ) visiting /manage or any other objects which require authorization works between the user account and the point of login - in fact, after rendering an object which would prompt for authorization if the only role were *really* Anonymous the roles for that object and ones it contains are fixed and show the expected results with getRoles() and has_role(). this problem occurred with ZOPE 2.5.0 or 2.5.1, and IE 5.5 or NN 7.0 Grant K Rauscher GeeKieR Enterprises http://www.geekier.com/