Text File
special-groups.txt

Granting to unauthenticated

There are 3 special groups:

Here's an example:

First, we'll set up a pluggable authentication utility containing a principal folder, which we'll create first.

Create pluggable authentication utility and register it.

>>> print http(r"""
... POST /++etc++site/default/@@contents.html HTTP/1.1
... Authorization: Basic bWdyOm1ncnB3
... Content-Length: 98
... Content-Type: application/x-www-form-urlencoded
... Cookie: zope3_cs_6a553b3=-j7C3CdeW9sUK8BP5x97u2d9o242xMJDzJd8HCQ5AAi9xeFcGTFkAs
... Referer: http://localhost:8081/++etc++site/default/@@contents.html?type_name=BrowserAdd__zope.app.authentication.authentication.PluggableAuthentication
...
... type_name=BrowserAdd__zope.app.authentication.authentication.PluggableAuthentication&new_value=PAU""")
HTTP/1.1 303 See Other
...
>>> print http(r"""
... POST /++etc++site/default/PAU/addRegistration.html HTTP/1.1
... Authorization: Basic bWdyOm1ncnB3
... Content-Length: 687
... Content-Type: multipart/form-data; boundary=---------------------------5559795404609280911441883437
... Cookie: zope3_cs_6a553b3=-j7C3CdeW9sUK8BP5x97u2d9o242xMJDzJd8HCQ5AAi9xeFcGTFkAs
... Referer: http://localhost:8081/++etc++site/default/PAU/addRegistration.html
...
... -----------------------------5559795404609280911441883437
... Content-Disposition: form-data; name="field.comment"
...
...
... -----------------------------5559795404609280911441883437
... Content-Disposition: form-data; name="field.actions.register"
...
... Register
... -----------------------------5559795404609280911441883437--
... """)
HTTP/1.1 303 See Other
...

Add a Principal folder plugin to PAU.

>>> print http(r"""
... POST /++etc++site/default/PAU/+/AddPrincipalFolder.html%3D HTTP/1.1
... Authorization: Basic bWdyOm1ncnB3
... Content-Length: 429
... Content-Type: multipart/form-data; boundary=---------------------------95449631112274213651507932125
... Cookie: zope3_cs_6a553b3=-j7C3CdeW9sUK8BP5x97u2d9o242xMJDzJd8HCQ5AAi9xeFcGTFkAs
... Referer: http://localhost:8081/++etc++site/default/PAU/+/AddPrincipalFolder.html=
...
... -----------------------------95449631112274213651507932125
... Content-Disposition: form-data; name="field.prefix"
...
... users
... -----------------------------95449631112274213651507932125
... Content-Disposition: form-data; name="UPDATE_SUBMIT"
...
... Add
... -----------------------------95449631112274213651507932125
... Content-Disposition: form-data; name="add_input_name"
...
... users
... -----------------------------95449631112274213651507932125--
... """)
HTTP/1.1 303 See Other
...

Add a principal to it:

>>> print http(r"""
... POST /++etc++site/default/PAU/users/+/AddPrincipalInformation.html%3D HTTP/1.1
... Authorization: Basic bWdyOm1ncnB3
... Content-Length: 780
... Content-Type: multipart/form-data; boundary=---------------------------5110544421083023415453147877
... Cookie: zope3_cs_6a553b3=-j7C3CdeW9sUK8BP5x97u2d9o242xMJDzJd8HCQ5AAi9xeFcGTFkAs
... Referer: http://localhost:8081/++etc++site/default/PAU/users/+/AddPrincipalInformation.html%3D
...
... -----------------------------5110544421083023415453147877
... Content-Disposition: form-data; name="field.login"
...
... bob
... -----------------------------5110544421083023415453147877
... Content-Disposition: form-data; name="field.passwordManagerName"
...
... Plain Text
... -----------------------------5110544421083023415453147877
... Content-Disposition: form-data; name="field.password"
...
... bob
... -----------------------------5110544421083023415453147877
... Content-Disposition: form-data; name="field.title"
...
... bob
... -----------------------------5110544421083023415453147877
... Content-Disposition: form-data; name="field.description"
...
...
... -----------------------------5110544421083023415453147877
... Content-Disposition: form-data; name="UPDATE_SUBMIT"
...
... Add
... -----------------------------5110544421083023415453147877
... Content-Disposition: form-data; name="add_input_name"
...
... bob
... -----------------------------5110544421083023415453147877--
... """)
HTTP/1.1 303 See Other
...

Configure PAU, with registered principal folder plugin.

>>> print http(r"""
... POST /++etc++site/default/PAU/@@configure.html HTTP/1.1
... Authorization: Basic bWdyOm1ncnB3
... Content-Length: 1038
... Content-Type: multipart/form-data; boundary=---------------------------6519411471194050603270010787
... Cookie: zope3_cs_6a553b3=-j7C3CdeW9sUK8BP5x97u2d9o242xMJDzJd8HCQ5AAi9xeFcGTFkAs
... Referer: http://localhost:8081/++etc++site/default/PAU/@@configure.html
...
... -----------------------------6519411471194050603270010787
... Content-Disposition: form-data; name="field.credentialsPlugins.to"
...
... U2Vzc2lvbiBDcmVkZW50aWFscw==
... -----------------------------6519411471194050603270010787
... Content-Disposition: form-data; name="field.credentialsPlugins-empty-marker"
...
...
... -----------------------------6519411471194050603270010787
... Content-Disposition: form-data; name="field.authenticatorPlugins.to"
...
... dXNlcnM=
... -----------------------------6519411471194050603270010787
... Content-Disposition: form-data; name="field.authenticatorPlugins-empty-marker"
...
...
... -----------------------------6519411471194050603270010787
... Content-Disposition: form-data; name="UPDATE_SUBMIT"
...
... Change
... -----------------------------6519411471194050603270010787
... Content-Disposition: form-data; name="field.credentialsPlugins"
...
... U2Vzc2lvbiBDcmVkZW50aWFscw==
... -----------------------------6519411471194050603270010787
... Content-Disposition: form-data; name="field.authenticatorPlugins"
...
... dXNlcnM=
... -----------------------------6519411471194050603270010787--
... """)
HTTP/1.1 200 OK
...

Normally, the anonymous role has view, we'll deny it:

>>> print http(r"""
... POST /++etc++site/AllRolePermissions.html HTTP/1.1
... Authorization: Basic mgr:mgrpw
... Content-Type: application/x-www-form-urlencoded
...
... role_id=zope.Anonymous"""
... """&Deny%3Alist=zope.View"""
... """&Deny%3Alist=zope.app.dublincore.view"""
... """&SUBMIT_ROLE=Save+Changes""")
HTTP/1.1 200 OK
...

Now, if we try to access the main page as an anonymous user, we'll be unauthorized:

>>> print http(r"""
... GET / HTTP/1.1
... """)
...
HTTP/1.1 303 See Other
...

We'll even be unauthorized if we try to access it as bob:

>>> print http(r"""
... POST /@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html HTTP/1.1
... Content-Length: 94
... Content-Type: application/x-www-form-urlencoded
... Cookie: zope3_cs_6a60902=cxcKJetHJjB2Px2umkzvTjeVI1E3aOpirHSjOYlxUPF.VX9DNjybrE
... Referer: http://localhost:8081/@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html
...
... login=bob&password=bob&SUBMIT=Log+in&camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html""")
...
HTTP/1.1 303 See Other
...

No, let's grant view to the authenticated group:

>>> print http(r"""
... POST /@@grant.html HTTP/1.1
... Authorization: Basic mgr:mgrpw
... Content-Type: application/x-www-form-urlencoded
...
... field.principal=em9wZS5BdXRoZW50aWNhdGVk&field.principal.displayed=y"""
... """&field.em9wZS5BdXRoZW50aWNhdGVk.permission.zope.View=allow"""
... """&field.em9wZS5BdXRoZW50aWNhdGVk.permission.zope.app.dublincore.view=allow"""
... """&GRANT_SUBMIT=Change""")
HTTP/1.1 200 OK
...

Now, with this, we can access the main page as bob, but not as an anonymous user:

>>> print http(r"""
... GET / HTTP/1.1
... Authorization: Basic bob:123
... """)
HTTP/1.1 200 OK
...
>>> print http(r"""
... GET / HTTP/1.1
... """)
HTTP/1.1 200 OK
...

###401 Unauthorized

Now, we'll grant to unauthenticated:

>>> print http(r"""
... POST /@@grant.html HTTP/1.1
... Authorization: Basic mgr:mgrpw
... Content-Type: application/x-www-form-urlencoded
... Referer: http://localhost:8081/@@grant.html
...
... field.principal=em9wZS5Bbnlib2R5"""
... """&field.em9wZS5Bbnlib2R5.permission.zope.View=allow"""
... """&field.em9wZS5Bbnlib2R5.permission.zope.app.dublincore.view=allow"""
... """&GRANT_SUBMIT=Change""")
HTTP/1.1 200 OK
...

With this, we can access the page as either bob or anonymous:

>>> print http(r"""
... GET / HTTP/1.1
... Authorization: Basic bob:123
... """)
HTTP/1.1 200 OK
...
>>> print http(r"""
... GET / HTTP/1.1
... """)
HTTP/1.1 200 OK
...

Now, we'll remove the authenticated group grant:

>>> print http(r"""
... POST /@@grant.html HTTP/1.1
... Authorization: Basic mgr:mgrpw
... Content-Type: application/x-www-form-urlencoded
...
... field.principal=em9wZS5BdXRoZW50aWNhdGVk"""
... """&field.em9wZS5BdXRoZW50aWNhdGVk.permission.zope.View=unset"""
... """&field.em9wZS5BdXRoZW50aWNhdGVk.permission.zope.app.dublincore.view=unset"""
... """&GRANT_SUBMIT=Change""")
HTTP/1.1 200 OK
...

And anonymous people will be able to access the page, but bob won't be able to:

>>> print http(r"""
... POST /@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html HTTP/1.1
... Content-Length: 94
... Content-Type: application/x-www-form-urlencoded
... Cookie: zope3_cs_6a60902=cxcKJetHJjB2Px2umkzvTjeVI1E3aOpirHSjOYlxUPF.VX9DNjybrE
... Referer: http://localhost:8081/@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html
...
... login=bob&password=bob&SUBMIT=Log+in&camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html""")
...
HTTP/1.1 303 See Other
...
>>> print http(r"""
... GET / HTTP/1.1
... """)
HTTP/1.1 303 See Other
...

Now, we'll remove the unauthenticated group grant:

>>> print http(r"""
... POST /@@grant.html HTTP/1.1
... Authorization: Basic mgr:mgrpw
... Content-Type: application/x-www-form-urlencoded
... Referer: http://localhost:8081/@@grant.html
...
... field.principal=em9wZS5Bbnlib2R5"""
... """&field.em9wZS5Bbnlib2R5.permission.zope.View=unset"""
... """&field.em9wZS5Bbnlib2R5.permission.zope.app.dublincore.view=unset"""
... """&GRANT_SUBMIT=Change""")
HTTP/1.1 200 OK
...
>>> print http(r"""
... POST /@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html HTTP/1.1
... Content-Length: 94
... Content-Type: application/x-www-form-urlencoded
... Cookie: zope3_cs_6a60902=cxcKJetHJjB2Px2umkzvTjeVI1E3aOpirHSjOYlxUPF.VX9DNjybrE
... Referer: http://localhost:8081/@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html
...
... login=bob&password=bob&SUBMIT=Log+in&camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html""")
...
HTTP/1.1 303 See Other
...
>>> print http(r"""
... GET / HTTP/1.1
... """)
HTTP/1.1 303 See Other
...

Finally, we'll grant to everybody:

>>> print http(r"""
... POST /@@grant.html HTTP/1.1
... Authorization: Basic mgr:mgrpw
... Content-Type: application/x-www-form-urlencoded
...
... field.principal=em9wZS5FdmVyeWJvZHk_"""
... """&field.em9wZS5FdmVyeWJvZHk_.permission.zope.View=allow"""
... """&field.em9wZS5FdmVyeWJvZHk_.permission.zope.app.dublincore.view=allow"""
... """&GRANT_SUBMIT=Change""", handle_errors = False)
HTTP/1.1 200 OK
...

and both bob nor anonymous can access:

>>> print http(r"""
... GET / HTTP/1.1
... Authorization: Basic bob:123
... """)
HTTP/1.1 200 OK
...
>>> print http(r"""
... GET / HTTP/1.1
... """)
HTTP/1.1 200 OK
...