Sorry for the repost, I desperately need help on this and any help would be greatly appreciated. The problem being that I have a custom User Folder loosely based on mysqluserfolder, without the cookies and session stuff, for that I use Cookie Crumbler and CST. Otherwise the code is pretty much the same with modifications to suit my purposes. Now lets say I have a user with role "X". I set up a folder that is veiwable only be ppl with role X via the security tab. When I try to view it, zope refuses entry to me. When I do a AUTHENTICATED_USER.getRoles or _.SecurityGetUser().getRoles() I get alist that has Authenticated User, Anonymous and X in it. I looked up and walked through the validate function in my UF and printed out roles just before it calls authorize and the list of roles is the same there too. My authorize function is the following: authorize__roles__ = () def authorize (Self, user, roles, REQUEST): v = REQUEST ['PUBLISHED'] # the published object a, c, n, v = Self._getobcontext(v, REQUEST) allowed = AccessControl.User.BasicUserFolder.authorize (Self, user, a, c, n, v, roles) if not allowed: return None else: return user Its essentially the same as in mysqluserfolder. The authorize() function in my UF also seems to be letting me (allowed = 1) in if I have the right role but I still get kicked out. As I said I am using Cookie crumbler and CST (I dont think this has anything to do with it) So who is kicking me out?? If my UF says I am cool and I have the right roles why am I getting kicked out?? Any pointers. TIA AM -- ================================================================== Aseem Mohanty Neurobehavioral Systems Inc, 828 San Pablo Ave, Albany, CA 94706 (R) 510 7696011 (M) 510 3014871 (O) 510 5279231 ================================================================== "I saw `cout' being shifted "Hello world" times to the left and stopped right there!!" -- Steve Gonedes ==================================================================