I have another interesting authorization failure problem (Zope 2.0.0b1). Let's say I have folder called Restricted. Permissions for this folder is restricted to users of a specific privileged role called Editor. Inside this folder I also have a standard user folder with one such Editor user defined. The problem arises when the user is viewing a document in the Restricted folder, and the document is referring to objects -- such as images through <img> tags -- from the _unrestricted_ part of the database. It'll give "Unauthorized" on these objects no matter what. Remember that these objects aren't restricted at all; the Anonymous role has full View access. My suspicion is that if the browser passes an authentication header that does not match a valid user (known to the folder or any up-level folders through acquisition; in my case the whole idea is that the user folder is not visible from the part of the site that the browser passes an authentication header to), then Zope will not revert to the anonymous role, but will instead just block the user unconditionally. If I move the user folder into the top-level folder, everything is groovy. Sounds like a bug, anybody care to comment before I bung it in the Collector? -- Alexander Staubo http://www.mop.no/~alex/ "QED?" said Russell. "It's Latin," said Morgan. "It means, So there you bastard." --Robert Rankin, _Nostramadus Ate My Hamster_