Hello, I've written an external method that I call through xml-rpc. It lets me create files on the server from a stand-alone client application that runs on the workstation of my users. In testing it recently, I discovered that it will let me write files to secured folders within my Zope system, even though I'm not yet using the patch to xmlrpclib.py that supports authentication! I'm running Zope 2.2.5 under redhat 7.0. The external method is included below. Any clues would be appreciated. Thanks in advance.... Is it up to me to write my own security code when using an external method? -- import tempfile import OFS.content_types import OFS.FindSupport import string def EWSyncAdd(self, PARMS): """ Create a new DTMLDocument, Image, or File object """ try: filename = PARMS['filename'] except: return "missing parm: filename" try: timestamp = PARMS['timestamp'] except: return "missing parm: timestamp" try: contents = PARMS['contents'].data except: return "missing parm: contents" try: title = PARMS['title'] except: return "missing parm: title" truepathspec = fixRPCPath(self.REQUEST) folderObject = self.REQUEST.resolve_url(truepathspec) filespec = truepathspec + '/' + filename itemObject = None if filename in folderObject.objectIds(): return "object already exists" type, enc=OFS.content_types.guess_content_type(filename, contents) if type in ('text/html', 'text/xml', 'text/plain'): # Create a DTMLDocument object folderObject.manage_addDocument(filename, title) itemObject = self.REQUEST.resolve_url(filespec) itemObject.manage_edit(contents, title) elif type[:6]=='image/': # Create an Image object f = tempfile.TemporaryFile() f.write(contents) f.seek(0) folderObject.manage_addImage(filename, f, title=title) f.close() itemObject = self.REQUEST.resolve_url(filespec) else: # Create a File object f = tempfile.TemporaryFile() f.write(contents) f.seek(0) folderObject.manage_addFile(filename, f, title=title) f.close() itemObject = self.REQUEST.resolve_url(filespec) if itemObject.getProperty('EWTimeStamp') is None: itemObject.manage_addProperty('EWTimeStamp', timestamp, 'string') else: itemObject.manage_changeProperties(None, EWTimeStamp=timestamp) return "OK" def fixRPCPath(req): pathsegs = string.split(req['PATH_INFO'], '/') if pathsegs[1] == 'RPC2': del pathsegs[1] del pathsegs[-1] return 'http://' + req['HTTP_HOST'] + string.join(pathsegs, '/') -- Martin Stitt Chief Software Engineer Esker, Inc. email: marty.stitt@esker.com phone: (608) 273-6000 x331 fax: (608) 273-8227 web: http://www.esker.com