[Grok-dev] Re: Protecting views to allow anonymous access only
Philipp von Weitershausen
philipp at weitershausen.de
Thu Jul 31 06:37:30 EDT 2008
El 31 Jul 2008, a las 12:26 , Dennis Noordsij escribió:
> You could do the following:
>
> In buildout.cfg,
>
> <unauthenticatedPrincipal id="zope.anybody"
> title="Anonymous user" />
>
> <grant permission="mysite.Anonymous" principal="zope.anybody" />
>
> Then you can protect a view with mysite.Anonymous and only not-
> logged-in
> users can access it.
>
> (I use it to add a "login", "register", etc viewlet to the default
> layout).
>
> Or am I missing the problem?
I suppose that would work, if you only assign the permission to the
anonymous *principal*. Because zope.securitypolicy implicitly assigns
the anonymous *role* to anybody.
However, there's still one caveat. Manager roles, in other words,
roles that were granted everything using <grantAll /> literally can do
*everything*, without having any permission granted explicitly. So the
above trick would allow the anonymous principal to carry out the task
and nobody else except "managers" (for the lack of a better word).
Managers would still be able to access the component no matter what.
More information about the Grok-dev
mailing list