Hi Zope people, I have been using Dieter Maurer's Post authentication hook quite successfully to restrict access to a folder for a group of users. Now, my problem is that Post authentication hook is only called... for authenticated users (as its name implies). That's a problem for me, because anonymous users that can guess a URL could access private areas that I have set up. (BTW, I am aware that I could restrict the access by changing the "View" permission in the "Security" tab and remove "Acquired", but that's not good enough: it then shows all documents to authorized users, regardless of their worflow state). Anyway, I am thinking of adding an unvalidated_hook call in ZPublisher/BaseRequest.py, something like: if user is not None: if validated_hook is not None: validated_hook(self, user) request['AUTHENTICATED_USER']=user request['AUTHENTICATION_PATH']='/'.join(steps[:-i]) else: unvalidated_hook(request) And then in unvalidated_hook, I would dynamically check if anonymous users can access the current folder. Am I on the right tracks or is there a built-in functionality in Zope to accomplish what I am trying to do?? Advice and pointers are welcome. Cheers Cyrille