We're in the process of building a cluster (just installed 8 machines) for serving a bunch (tens of thousands) of users. Many/most of these people will also be authors. A single (X.500- based) authentication system will be used for most everything. I'm trying to get a handle on what policy I want to use in order to keep authors from doing Bad Things to authenticated users who visit their pages. Looking around on Zope.org, I realized that this might already be addressed. Is there anything that prevents me (as a Zope community member with authoring privileges on zope.org) from luring users who have already authenticated with Zope.org to come look at my pages, and then running arbitrary commands with their privileges? Anyone else grappling with this situation? I'm trying to decide how to set policy so that users are reasonably safe, but authors still have the freedom to create Cool Stuff. There will most certainly be multiple classes of authors - those who can act with the authenticated user's privileges and those who can not. I'm not quite sure how to implement that yet, though. I'm also concerned about links to Bad Things, like "delete your home directory" disguised as "Get porn here!". Any thoughts? Has this already been hashed out somewhere that I should have found? Thank you. --kyler