Few days ago I found that on site that I'm currently working on, everybody can add DTMLMethods and Documents (and maybe do more, I haven't checked yet, but I think it's bad enough !) by simply entering URL http://www.mysite.com/manage_addDTMLMethod?id=q1&title=qq1&file=qqq1 After that Zope sends 'Location' header to redirect user to 'manage_main'. That (manage_main) causes 'Unauthorized' exception. But that object 'q1' was added !!! I was thinking that it's a bug in Product. (I use LoginManager, LocalFS, SiteAccess). I decided to upgrade my Zope from 2.2.1 to 2.2.4 and upgrade all Products (one good thing so far ;)). No success. So I did fresh install of Zope 2.2.4, without additional Products, with with brand new Data.fs. Problem persists ! I have default security settings, so Anonymous can't "Add Documents, Images, and Files". Of course user can put any DTML in this object - you know the consequences... (and if the folder where this object is located is owned by high-privileged user, then this object is owned by that user too (through acquisition)). I just checked: I can't add Folders this way. What's going on ?!? Have I found very big security hole, or just I'm going crazy ? :( P.S. Just take a look at object with id "haveIFoundABug" in root level of www.zope.org that I created few seconds ago... ololo@zeus.polsl.gliwice.pl /--------------------------------------\ | `long long long' is too long for GCC | \--------------------------------------/