http://berylium.org/news/announcements/story-newserver.html?method=edit

The goal is to render this page something like this:

site->name= berylium.org
folder->name= /news/announcements	 id=3

container[0]->name= /news/announcements  id=3
container[1]->name= /news		 id=2
container[2]->name= /			 id=1

object->objtype= story
object->name= newserver			 id=26

session->request->method= edit
session->request->format= html

session->sitemember->id= 10
session->foldermember->id= 15 role= editor
	container[0]->foldermember->id= 0
	container[1]->foldermember->id= 15 (role=editor)
	container[2]->foldermember->id= 4  (role=viewer)


SO, places to look for context, in order:
// class-specific, role-specific, up through folders
1) method='edit' AND format='html' AND role='editor' AND classname='story' AND folderid=3
2) method='edit' AND format='html' AND role='editor' AND classname='story' AND folderid=2
3) method='edit' AND format='html' AND role='editor' AND classname='story' AND folderid=1  (** most likely candidate!!!)

// class-specific, role-generic, up through folders
4) method='edit' AND format='html' AND classname='story' AND folderid=3
5) method='edit' AND format='html' AND classname='story' AND folderid=2
6) method='edit' AND format='html' AND classname='story' AND folderid=1

// class-generic, role-specific, up through folders
7) method='edit' AND format='html' AND role='editor' AND classname='ContentObject' AND folderid=3
8) method='edit' AND format='html' AND role='editor' AND classname='ContentObject' AND folderid=2
9) method='edit' AND format='html' AND role='editor' AND classname='ContentObject' AND folderid=1  (* second-most likely)

// class-generic, role-generic, up through folders
10) method='edit' AND format='html' AND classname='ContentObject' AND folderid=3
11) method='edit' AND format='html' AND classname='ContentObject' AND folderid=2
12) method='edit' AND format='html' AND classname='ContentObject' AND folderid=1

If context is not found in any of these places, object cannot be rendered.


WHAT THIS MEANS!!!!
This has several implications. 
Contexts for view/list methods can be very specific, customized at the folder level, while edit and update method contexts remain defined on a sitewide basis.
The ContentObject class as defined in the root folder sets the baseline standard for security.
New roles can be created and contained at the folder level by adding a role-specific context.

For instance, if you create a new context for contest objects in /clients/bobanddave/specials where role=constestadmin, then give a foldermember (anywhere in the hierarchy from / to /clients/bobanddave to /clients/bobanddave/specials) the contestadmin permission, they will see any contest they view in that folder with contestadmin context.

So how does the session determine which role to use??? It traverses BACK through the folder hierarchy (containers array) looking at folders until it hits a folder that is marked private (that is, public is unchecked). It uses the first foldermember-ship it finds to get the role and other info for the current sitemember. (If it doesn't find a foldermembership, that folder and the objects within it are off limits to the sitemember-- unless that sitemember has a root-level ("/") foldermembership with role=admin. Root-level admins have access to most of the objects in in the site.)