hi there, i'm trying to migrate a plone project from zope 2.5.1 to zope 2.6.1. the app relies heavily on database driven local roles information, for which we're using zpatterns and loginmanager. so we've created these custom plone folders called 'teamfolders'. these folders are dataskins, and they override get_local_roles() and get_local_roles_for_userid(), returning the appropriate responses based on the team membership information that is in the database. similarly, in our user class, we've overridden getRolesInContext(). in zope 2.5.1 this all works beautifully. zope recognized the local roles and allows access accordingly. even the 'local_roles' link on the security tab still works, although it doesn't allow you to delete the local roles that originate from the database. when i import my product into 2.6.1, however, things don't work as smoothly. everything looks like it should work... the local roles page still displays the right information. a test page that i've written consistently displays the expected results for here.get_local_roles() and here.get_local_roles_for_userid(), as well as user.getRolesInContext(). but zope doesn't allow the access based on this information. that is, even when 'teammember' is showing up on the user's local roles list, zope isn't allowing the user to perform actions that should be allowed to 'teammember'. has something changed within zope's security implementation? is there a new method that needs to be overridden that i don't know about? does anyone have any other ideas why this might be happening? i've searched on the zope.org site and the mailing lists to no avail... any info anyone can provide would be greatly appreciated! thanks! -r