[Grok-dev] Re: Protecting views to allow anonymous access only
faassen at startifact.com
Mon Jul 28 09:06:34 EDT 2008
I was away for a couple of days so this one got stuck in the mail queue
for a while, sorry for the delay!
[Are other people actually monitoring the mail queue? We set up quite a
few people to do it, but I'm not sure whether it's being done actively.
If you want to volunteer to make sure non-spam new postings get approved
quickly, please drop me a mail]
Andreas Kaiser wrote:
> I'm in the progress of developing my first Grok application, so please
> be patient with me and my maybe stupid questions.
> Right now I'm stuck with this…
> I need to protect a view, so that it can be accessed *only* by
> anonymous users.
> I know:
> ~ - how to protect a view with e.g.
> ~ grok.require('my.CustomPermission')
> ~ - how to create a custom role
> ~ - how to gather permissions in this role
> I don't know:
> ~ - how to grant my role to the anonymous user
> Any pointers would be appreciated.
Hm, interesting question to which I can't answer directly.
I'm not sure whether anonymous permission checks don't undergo some
shortcut whereby this strategy can fail, but some possible hints:
request.principal.id gives you the permission id, so you should be able
to figure out what the id for anonymous is. I think it's going to be
You might be able to use IPrincipalRoleMap on your content object
(perhaps the root of your application) to assign your role to
zope.unknown. See zope.app.securitypolicy.interfaces for more information.
Other possible directions to take:
It turns out you can apparently override what the
IUnauthenticatedPrincipal object will be by supplying the right utility.
See zope.app.security.globalprincipals.txt. Probably not needed.
More interesting bits in zope.app.security.globalprincipals.txt:
You can apparently create an unauthenticated group in ZCML (perhaps it's
already created in the standard startup profile of Grok - not sure). You
could then, I think, assign your role to this group, using
IPrincipalRoleMap again (the group id zope.unknowngroup should be the
More information about the Grok-dev