Dear Readers! There is a (IMHO) subtile difference in respect to the view permission between DTML documents and DTML methods (this is true at least for Zope 2.5.0): If you insert into index_html the content of one DTML document and one DTML method, you need view permission for the method but not necessarily for the document. On the other hand you don't need access-contents-information permission for the method. (I don't know which operation on the method require this permission) Why? Now the long description. Imagine the following object tree: root | +- myFolder | | ~ ... +- index_html ~ | +- mySubfolder1 | | | +- myDocument | +- mySubfolder2 | | ~ ... +- myDocument ~ | +- mySubfolderN | | | +- myDocument | +- myMethod | ~ ... ~ There is the DTML method index_html. It's responsible (per acquisition) to view the content of one of the myDocument documents from one of the mySubFolder1..N folders. It also use myMethod. Both myDocument and myMethod are inserted into index_html via <dtml-var...>. There are N DTML documents myDocument with includes some content each in its own SubFolder. You can view one myDocument by request http://myFolder/mySubfolderX with X one of 1 until N. There is the DTML method myMethod which create some content based on the properties of the current document. So far so good. But now: How to set up strict access permissions? (In the moment I'm only talking about permissions for read access to the objects via whose URL --- a.k.a. "the third view".) The requirements to the permissions are (this is what I want): 1. index_html is viewable for anonymous. 2. Only index_html is directly viewable. So http://myFolder/mySubfolder1 until http://myFolder/mySubfolderN are the only valid urls. 3. From 2nd follows: all myDocument documents and the myMethod method must not be directly viewable but only by (or thru) index_html. So requests to http://myFolder/myMethod or http://myFolder/mySubfolderX/myDocument are not permitted. I tried this: o remove view permission from myFolder and o set view permission explicit to index_html. For my surprising this doesn't work but results into error at request http://myFolder/mySubfolderX: Error Type: Unauthorized Error Value: You are not allowed to access myMethod in this context I have to give view permission to myMethod for work around. However now, myMethod can be directly viewed via its url which shouldn't. My questions now are: 1. Why it is as it is? I mean: It is a bug or feature? 2. How to set up the objects properly, to fit the above requirements? With Respect Peter -- Dipl.-Ing. Peter Ehrenberg Tel.: (040) 756604-40 Rotenhäuser Straße 51 Fax: (040) 756604-41 21109 Hamburg Netz: http://www.dipe.de Germany mailto:pe@dipe.de