[Grok-dev] Re: Protecting views to allow anonymous access only

Martijn Faassen faassen at startifact.com
Mon Jul 28 09:06:34 EDT 2008

Hey Andreas,

I was away for a couple of days so this one got stuck in the mail queue 
for a while, sorry for the delay!

[Are other people actually monitoring the mail queue? We set up quite a 
few people to do it, but I'm not sure whether it's being done actively.
If you want to volunteer to make sure non-spam new postings get approved 
quickly, please drop me a mail]

Andreas Kaiser wrote:
> I'm in the progress of developing my first Grok application, so please
> be patient with me and my maybe stupid questions.
> Right now I'm stuck with this…
> I need to protect a view, so that it can be accessed *only* by
> anonymous users.
> I know:
> ~  - how to protect a view with e.g.
> ~    grok.require('my.CustomPermission')
> ~  - how to create a custom role
> ~  - how to gather permissions in this role
> I don't know:
> ~  - how to grant my role to the anonymous user
> Any pointers would be appreciated.

Hm, interesting question to which I can't answer directly.

I'm not sure whether anonymous permission checks don't undergo some 
shortcut whereby this strategy can fail, but some possible hints:

request.principal.id gives you the permission id, so you should be able 
to figure out what the id for anonymous is. I think it's going to be 

You might be able to use IPrincipalRoleMap on your content object 
(perhaps the root of your application) to assign your role to 
zope.unknown. See zope.app.securitypolicy.interfaces for more information.

Other possible directions to take:

It turns out you can apparently override what the 
IUnauthenticatedPrincipal object will be by supplying the right utility. 
See zope.app.security.globalprincipals.txt. Probably not needed.

More interesting bits in zope.app.security.globalprincipals.txt:

You can apparently create an unauthenticated group in ZCML (perhaps it's 
already created in the standard startup profile of Grok - not sure). You 
could then, I think, assign your role to this group, using 
IPrincipalRoleMap again (the group id zope.unknowngroup should be the 
principal id).



More information about the Grok-dev mailing list