I'm close, but still not there. I'm sure it will turn out to be simple. Can any zope guru suggest a solution ? I wrote:

My search form uses an external method which is similar to FindSupport.PrincipiaFind(). It has one problem - it lists [file objects] for which the user does not have view permission.

To recap, I want my find form/method to list only objects for which the user has view permission, like #tree does with the "skip_unauthorized" attribute. I saw that #in also has a skip_unauthorized attribute. So I tried using this in the dtml which displays the find results - no effect, it still lists all the file objects. Another dtml approach - in the results list I tried: <!--#var expr="_.getattr(_['sequence-item'],'id')()"--> and this does raise an authorization error at the appropriate time (ie when listing an unauthorized object). I want to skip those objects, not cause an exception. So.. I've tried calling validate(), and I've tried calling careful_getattr in the find method, but only get TypeErrors and an unhelpful traceback. Debugging has been... an adventure.. :-\ I will send some notes on this. Here's the essence of my find method: def ExtranetFind(self, obj, obj_searchterm=None, obj_days=0, search_sub=0, REQUEST=None, result=None, pre=''): """extranet find function, based on PrincipiaFind""" ... base=obj if hasattr(obj, 'aq_base'): base=obj.aq_base ... for id, ob in base.objectItems(): # skip this object if user should not have access to it md=TemplateDict() md.validate = REQUEST.AUTHENTICATED_USER.validate try: d['getattr'](md,ob,'title') #<-- cannot find right syntax except: continue <check other search criteria> <append to results if match> -Simon