Please stay on the list, I've not given up ;-). Since the try/except clause didn't work, it's quite clear that getattr isn't raising the exception. Maybe it happens inside ZopeFind.
ZopeFind also has the possibility to limit search results based on permission (see the "advanced" tab under Find in the ZMI.
IIRC, you can use something like ZopeFind(..., obj_permission=[list of permissions], obj_roles=[list of roles]), where you define which roles should have which permission on the object. Another possiblity is to use obj_expr="something", where something tests if the actual user is allowed to view the object.
cheers, oliver
obj_expr="la_la_la": triggers the authorization window I am using Jens Vagelpohl idea to get the AUTHENTICATED_USER aquired parent directory and then checking to make sure the directory lies in the actual path. Works well and is pretty quick. Thanks Chris