Hi, I've just been reading an interesting article on XML-RPC which lead me to try something and ask some questions... If you go to http://www.zope.org/title_or_id you get the result of the title_or_id method. The same is true of the manage method and the REQUEST method. Me being paranoid, this makes me wonder whether there are any 'bad' methods that could be executed in this way, without any security authorization? Again, being paranoid, how would you got about turning off the title_or_id or REQUEST methods, or at least requiring authorisation to use them? (While of course leaving it possible for DTML methods and the like within the site to call them) Finally, if you had a DTML document, method or image, etc, called title_or_id or manage, how would you go about getting the one you want, either the document or the result of calling the method? cheers for any help, confusedly, Chris