Moved to "zope@zope.org".... Andre Schubert writes:

this works very well, it's so easy to use that i have not seen it. But how can i access AUTHENTICATED_USER in the method called by AccessRule. Sorry!

Did not think enough.... You cannot because authentication is only performed at the end of traversal (see URL:http://www.dieter.handshake.de/pyprojects/zope/book/chap3.html for details). Depending what authentication scheme you use, you may be able to decode the elementary authentication information in the request object and determine the username from that. When you use Basic Authentication, you would e.g. base64-decode the Authentication header to get the username. With cookie authentication, you would ask your UserFolder to decode it and give you the user name. Your AccessRule must probably be an External Method for this to work, as there is not yet a security context to do anything protected in Python Script. Dieter