O.k., I've been mulling over the topic of protecting users from lots of potentially hostile authors. I've got some ideas that could go a little way toward solving the problem. When writing a method that is going to do something *really* privileged (like "drop class"), there should be a second "Are you sure you want to...?" step. In order to enforce the desired use of this step, there must be a way to determine that the method is being called directly from the Zope Publisher(???) - not through an intermediate method. I have worked with such problems extensively under Apache, and the most secure solution I developed was not pretty. I'm hoping for better in Zope. Is there a good un-fakeable way in Zope to determine the caller of a method? I am not willing to trust the things I would initially consider for doing this (without some assurances from more knowledgeable people). (Another piece that is required for the "extra step" solution I mention is the generation of some cryptographic key to the second step. I think I understand how to do that.) Some other things to consider...if you have a "Referer" header, you could use it to insure that the user got to your method through the "proper" path. Using the "Accept" header *should* give a clue if the request is coming as a result of a tag like "img". These are not dependable solutions, though. Some browsers do not send the Referer, and MS browsers have a long history of sending bogus Accept values. Also, frames could be used instead of images for "invisible" calls. --kyler