Zopistas, I've been beating my head on the wall about this issue for weeks now. I need to be able to access the User object so that I can run a has_permission check in Python. However, I haven't been able to find a reliable way to access the current authenticated user in Python code. In fact, I have found a small security hole. If a user has permission to add folders, there is nothing stopping the user from putting their own default User Folder in it. There is a check that is supposed to prevent that depending on permissions, but it's easy to circumvent. This is unlikely to be a major issue so I'll just say what's involved in exploiting the hole. The manage_addFolder method, used to create a new folder, takes the current REQUEST as an argument. All one needs to do is call manage_addFolder without a REQUEST argument, and the extra security checks are disabled. Thus anyone who can create folders can also create default user folders. The issue is that there is no apparent way for a method such as manage_addFolder to get the current User object to perform a proper security check. Getting it using REQUEST['AUTHENTICATED_USER'] isn't reliable. In fact, it is possible to call <dtml-call "REQUEST.set('AUTHENTICATED_USER', bogusSuperUser)"> which works but fortunately doesn't have much effect at present. (bogusSuperUser would be a folder with DTML methods has_permission, has_role, validate, etc. and would masquerade as a SuperUser object.) Summary: I need to perform extra security checks similar to what manage_addFolder does, but it must be secure, unlike manage_addFolder. All advice is welcome. Shane Hathaway