I discovered a security problem in my plone/zope installation for every ttw-type. environment: - plone version 1.0.5 - os: windows 2000 - installed products: ttwtype, zopexmlmethods - created ttwtype 'ttwTypnamesFoo' in folder /myPloneFolder 1) at the root folder of my plone instance, I created a role A with permissions: a) Access session data und b) Access Transient Objects 2) I created user 01 with role A - correct: the user 01 never gets to see the tab with the edit-action - that's why on points 3) and 4) the access to the edit-form is done by typing the url directly in the url-field of the browser. 3) correct: - if user 01 wants to edit an object of type document (e.g. /Plone/index_html), the edit-form will be shown, but the user cannot save it. (-> msg: you are not allowed....) - url was: http://........../Plone/index_html/portal_form/document_edit_form 4) problem: - if user 01 wants to edit an object of a ttwtype (e.g. /myPloneFolderttwTypnamesFoo), the edit-form will be shown, and the user is ALLOWED to save it!! - url was: http://......./myPloneFolder/ttwTypnamesFoo/portal_form/ttw_edit_form any ideas how I can restrict the edit-and-save-access to my ttwtype objects? thanks for every input, david.