I've set up LoginManager with SQL and it's working OK, but I've run into a case where the browser pops up a basic/HTTP authentication request when I try to access a particular object inside the LoginManager-protected area. I particular, I added the following line to the index_html DTML Document (at the same level as the LoginManager acl_users folder): <dtml-var "_.getattr('AUTHENTICATED_USER', '__class__')"> Without this line I can access the index_html file after logging in via the LoginManager scheme as a user with the 'Members' role. But with this line I get the basic authorization popup and if I cancel that I can see the following exception in the "Zope Error" page: ================ Traceback (innermost last): File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 222, in publish_module File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\PROGRA~1\Zope225\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: index_html) File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: index_html) File D:\PROGRA~1\Zope225\lib\python\OFS\DTMLDocument.py, line 177, in __call__ (Object: index_html) File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_String.py, line 528, in __call__ (Object: index_html) File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_Util.py, line 337, in eval (Object: _.getattr('AUTHENTICATED_USER', '__class__')) (Info: _) File <string>, line 0, in ? File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_Util.py, line 144, in careful_getattr Unauthorized: __class__ ================ So it looks like attempting to access the '__class__' attribute triggered this, but I don't understand why it lead to basic authentication. If this required 'Manager' permissions, why didn't I just get some kind of "forbidden" response? It looks like the careful_getattr() function will raise a ValidationError on any attempt to access a variable whose name starts with '_'. Fine, maybe I was being naughty. But I still don't understand why this wasn't handled using LoginManager. How can I keep Basic/HTTP authentication from running when I've got LoginManager in place? Or is there reason to want both at once? -- Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312 Principal Consultant www.OntoSys.com fax: +1.630.879.1370 OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA