Granting to unauthenticated
===========================

There are 3 special groups:

- Everybody, that everybody belongs to,

- Unauthenticated, that unauthenticated users belong to, and

- Authenticating, that authenticated users belong to.

Here's an example:

First, we'll set up a pluggable authentication utility containing a
principal folder, which we'll create first.



Create pluggable authentication utility and register it.

  >>> print http(r"""
  ... POST /++etc++site/default/@@contents.html HTTP/1.1
  ... Authorization: Basic bWdyOm1ncnB3
  ... Content-Length: 98
  ... Content-Type: application/x-www-form-urlencoded
  ... Cookie: zope3_cs_6a553b3=-j7C3CdeW9sUK8BP5x97u2d9o242xMJDzJd8HCQ5AAi9xeFcGTFkAs
  ... Referer: http://localhost:8081/++etc++site/default/@@contents.html?type_name=BrowserAdd__zope.app.authentication.authentication.PluggableAuthentication
  ... 
  ... type_name=BrowserAdd__zope.app.authentication.authentication.PluggableAuthentication&new_value=PAU""")
  HTTP/1.1 303 See Other
  ...

  >>> print http(r"""
  ... POST /++etc++site/default/PAU/addRegistration.html HTTP/1.1
  ... Authorization: Basic bWdyOm1ncnB3
  ... Content-Length: 687
  ... Content-Type: multipart/form-data; boundary=---------------------------5559795404609280911441883437
  ... Cookie: zope3_cs_6a553b3=-j7C3CdeW9sUK8BP5x97u2d9o242xMJDzJd8HCQ5AAi9xeFcGTFkAs
  ... Referer: http://localhost:8081/++etc++site/default/PAU/addRegistration.html
  ... 
  ... -----------------------------5559795404609280911441883437
  ... Content-Disposition: form-data; name="field.status"
  ... 
  ... Active
  ... -----------------------------5559795404609280911441883437
  ... Content-Disposition: form-data; name="field.status-empty-marker"
  ... 
  ... 1
  ... -----------------------------5559795404609280911441883437
  ... Content-Disposition: form-data; name="field.permission"
  ... 
  ... 
  ... -----------------------------5559795404609280911441883437
  ... Content-Disposition: form-data; name="field.permission-empty-marker"
  ... 
  ... 1
  ... -----------------------------5559795404609280911441883437
  ... Content-Disposition: form-data; name="UPDATE_SUBMIT"
  ... 
  ... Add
  ... -----------------------------5559795404609280911441883437--
  ... """)
  HTTP/1.1 303 See Other
  ...

Add a Principal folder plugin to PAU.

  >>> print http(r"""
  ... POST /++etc++site/default/PAU/+/AddPrincipalFolder.html%3D HTTP/1.1
  ... Authorization: Basic bWdyOm1ncnB3
  ... Content-Length: 429
  ... Content-Type: multipart/form-data; boundary=---------------------------95449631112274213651507932125
  ... Cookie: zope3_cs_6a553b3=-j7C3CdeW9sUK8BP5x97u2d9o242xMJDzJd8HCQ5AAi9xeFcGTFkAs
  ... Referer: http://localhost:8081/++etc++site/default/PAU/+/AddPrincipalFolder.html=
  ... 
  ... -----------------------------95449631112274213651507932125
  ... Content-Disposition: form-data; name="field.prefix"
  ... 
  ... users
  ... -----------------------------95449631112274213651507932125
  ... Content-Disposition: form-data; name="UPDATE_SUBMIT"
  ... 
  ... Add
  ... -----------------------------95449631112274213651507932125
  ... Content-Disposition: form-data; name="add_input_name"
  ... 
  ... users
  ... -----------------------------95449631112274213651507932125--
  ... """)
  HTTP/1.1 303 See Other
  ...


Register Principal Folder.

  >>> print http(r"""
  ... POST /++etc++site/default/PAU/users/addRegistration.html HTTP/1.1
  ... Authorization: Basic bWdyOm1ncnB3
  ... Content-Length: 806
  ... Content-Type: multipart/form-data; boundary=---------------------------3658059809094229671187159254
  ... Cookie: zope3_cs_6a553b3=-j7C3CdeW9sUK8BP5x97u2d9o242xMJDzJd8HCQ5AAi9xeFcGTFkAs
  ... Referer: http://localhost:8081/++etc++site/default/PAU/users/addRegistration.html
  ... 
  ... -----------------------------3658059809094229671187159254
  ... Content-Disposition: form-data; name="field.name"
  ... 
  ... users
  ... -----------------------------3658059809094229671187159254
  ... Content-Disposition: form-data; name="field.status"
  ... 
  ... Active
  ... -----------------------------3658059809094229671187159254
  ... Content-Disposition: form-data; name="field.status-empty-marker"
  ... 
  ... 1
  ... -----------------------------3658059809094229671187159254
  ... Content-Disposition: form-data; name="field.permission"
  ... 
  ... 
  ... -----------------------------3658059809094229671187159254
  ... Content-Disposition: form-data; name="field.permission-empty-marker"
  ... 
  ... 1
  ... -----------------------------3658059809094229671187159254
  ... Content-Disposition: form-data; name="UPDATE_SUBMIT"
  ... 
  ... Add
  ... -----------------------------3658059809094229671187159254--
  ... """)
  HTTP/1.1 303 See Other
  ...

Add a principal to it:

  >>> print http(r"""
  ... POST /++etc++site/default/PAU/users/+/AddPrincipalInformation.html%3D HTTP/1.1
  ... Authorization: Basic bWdyOm1ncnB3
  ... Content-Length: 780
  ... Content-Type: multipart/form-data; boundary=---------------------------5110544421083023415453147877
  ... Cookie: zope3_cs_6a553b3=-j7C3CdeW9sUK8BP5x97u2d9o242xMJDzJd8HCQ5AAi9xeFcGTFkAs
  ... Referer: http://localhost:8081/++etc++site/default/PAU/users/+/AddPrincipalInformation.html%3D
  ... 
  ... -----------------------------5110544421083023415453147877
  ... Content-Disposition: form-data; name="field.login"
  ... 
  ... bob
  ... -----------------------------5110544421083023415453147877
  ... Content-Disposition: form-data; name="field.passwordManagerName"
  ... 
  ... Plain Text
  ... -----------------------------5110544421083023415453147877
  ... Content-Disposition: form-data; name="field.password"
  ... 
  ... bob
  ... -----------------------------5110544421083023415453147877
  ... Content-Disposition: form-data; name="field.title"
  ... 
  ... bob
  ... -----------------------------5110544421083023415453147877
  ... Content-Disposition: form-data; name="field.description"
  ... 
  ... 
  ... -----------------------------5110544421083023415453147877
  ... Content-Disposition: form-data; name="UPDATE_SUBMIT"
  ... 
  ... Add
  ... -----------------------------5110544421083023415453147877
  ... Content-Disposition: form-data; name="add_input_name"
  ... 
  ... bob
  ... -----------------------------5110544421083023415453147877--
  ... """)
  HTTP/1.1 303 See Other
  ...


Configure PAU, with registered principal folder plugin.

  >>> print http(r"""
  ... POST /++etc++site/default/PAU/@@configure.html HTTP/1.1
  ... Authorization: Basic bWdyOm1ncnB3
  ... Content-Length: 1038
  ... Content-Type: multipart/form-data; boundary=---------------------------6519411471194050603270010787
  ... Cookie: zope3_cs_6a553b3=-j7C3CdeW9sUK8BP5x97u2d9o242xMJDzJd8HCQ5AAi9xeFcGTFkAs
  ... Referer: http://localhost:8081/++etc++site/default/PAU/@@configure.html
  ... 
  ... -----------------------------6519411471194050603270010787
  ... Content-Disposition: form-data; name="field.credentialsPlugins.to"
  ... 
  ... Session Credentials
  ... -----------------------------6519411471194050603270010787
  ... Content-Disposition: form-data; name="field.credentialsPlugins-empty-marker"
  ... 
  ... 
  ... -----------------------------6519411471194050603270010787
  ... Content-Disposition: form-data; name="field.authenticatorPlugins.to"
  ... 
  ... users
  ... -----------------------------6519411471194050603270010787
  ... Content-Disposition: form-data; name="field.authenticatorPlugins-empty-marker"
  ... 
  ... 
  ... -----------------------------6519411471194050603270010787
  ... Content-Disposition: form-data; name="UPDATE_SUBMIT"
  ... 
  ... Change
  ... -----------------------------6519411471194050603270010787
  ... Content-Disposition: form-data; name="field.credentialsPlugins"
  ... 
  ... Session Credentials
  ... -----------------------------6519411471194050603270010787
  ... Content-Disposition: form-data; name="field.authenticatorPlugins"
  ... 
  ... users
  ... -----------------------------6519411471194050603270010787--
  ... """)
  HTTP/1.1 200 Ok
  ...

Normally, the anonymous role has view, we'll deny it:

  >>> print http(r"""
  ... POST /++etc++site/AllRolePermissions.html HTTP/1.1
  ... Authorization: Basic mgr:mgrpw
  ... Content-Type: application/x-www-form-urlencoded
  ... 
  ... role_id=zope.Anonymous""" 
  ... """&Deny%3Alist=zope.View""" 
  ... """&Deny%3Alist=zope.app.dublincore.view""" 
  ... """&SUBMIT_ROLE=Save+Changes""")
  HTTP/1.1 200 Ok
  ...

Now, if we try to access the main page as an anonymous user, 
we'll be unauthorized:


  >>> print http(r"""
  ... GET / HTTP/1.1
  ... """)
  ...
  HTTP/1.1 303 See Other
  ...



We'll even be unauthorized if we try to access it as bob:

  >>> print http(r"""
  ... POST /@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html HTTP/1.1
  ... Content-Length: 94
  ... Content-Type: application/x-www-form-urlencoded
  ... Cookie: zope3_cs_6a60902=cxcKJetHJjB2Px2umkzvTjeVI1E3aOpirHSjOYlxUPF.VX9DNjybrE
  ... Referer: http://localhost:8081/@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html
  ... 
  ... login=bob&password=bob&SUBMIT=Log+in&camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html""")
  ...
  HTTP/1.1 303 See Other
  ...


No, let's grant view to the authenticated group:

  >>> print http(r"""
  ... POST /@@grant.html HTTP/1.1
  ... Authorization: Basic mgr:mgrpw
  ... Content-Type: application/x-www-form-urlencoded
  ... 
  ... field.principal=em9wZS5BdXRoZW50aWNhdGVk&field.principal.displayed=y"""
  ... """&field.em9wZS5BdXRoZW50aWNhdGVk.permission.zope.View=allow"""
  ... """&field.em9wZS5BdXRoZW50aWNhdGVk.permission.zope.app.dublincore.view=allow"""
  ... """&GRANT_SUBMIT=Change""")
  HTTP/1.1 200 Ok
  ...

Now, with this, we can access the main page as bob, but not as an
anonymous user:

  >>> print http(r"""
  ... GET / HTTP/1.1
  ... Authorization: Basic bob:123
  ... """)
  HTTP/1.1 200 Ok
  ...

  >>> print http(r"""
  ... GET / HTTP/1.1
  ... """)
  HTTP/1.1 200 Ok 
  ...

###401 Unauthorized


Now, we'll grant to unauthenticated:

  >>> print http(r"""
  ... POST /@@grant.html HTTP/1.1
  ... Authorization: Basic mgr:mgrpw
  ... Content-Type: application/x-www-form-urlencoded
  ... Referer: http://localhost:8081/@@grant.html
  ... 
  ... field.principal=em9wZS5Bbnlib2R5"""
  ... """&field.em9wZS5Bbnlib2R5.permission.zope.View=allow"""
  ... """&field.em9wZS5Bbnlib2R5.permission.zope.app.dublincore.view=allow"""
  ... """&GRANT_SUBMIT=Change""")
  HTTP/1.1 200 Ok
  ...

With this, we can access the page as either bob or anonymous:

  >>> print http(r"""
  ... GET / HTTP/1.1
  ... Authorization: Basic bob:123
  ... """)
  HTTP/1.1 200 Ok
  ...

  >>> print http(r"""
  ... GET / HTTP/1.1
  ... """)
  HTTP/1.1 200 Ok
  ...


Now, we'll remove the authenticated group grant:

  >>> print http(r"""
  ... POST /@@grant.html HTTP/1.1
  ... Authorization: Basic mgr:mgrpw
  ... Content-Type: application/x-www-form-urlencoded
  ... 
  ... field.principal=em9wZS5BdXRoZW50aWNhdGVk"""
  ... """&field.em9wZS5BdXRoZW50aWNhdGVk.permission.zope.View=unset"""
  ... """&field.em9wZS5BdXRoZW50aWNhdGVk.permission.zope.app.dublincore.view=unset"""
  ... """&GRANT_SUBMIT=Change""")
  HTTP/1.1 200 Ok
  ...

And anonymous people will be able to access the page, but bob won't be able to:

  >>> print http(r"""
  ... POST /@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html HTTP/1.1
  ... Content-Length: 94
  ... Content-Type: application/x-www-form-urlencoded
  ... Cookie: zope3_cs_6a60902=cxcKJetHJjB2Px2umkzvTjeVI1E3aOpirHSjOYlxUPF.VX9DNjybrE
  ... Referer: http://localhost:8081/@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html
  ... 
  ... login=bob&password=bob&SUBMIT=Log+in&camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html""")
  ...
  HTTP/1.1 303 See Other
  ...



  >>> print http(r"""
  ... GET / HTTP/1.1
  ... """)
  HTTP/1.1 303 See Other
  ...




Now, we'll remove the unauthenticated group grant:

  >>> print http(r"""
  ... POST /@@grant.html HTTP/1.1
  ... Authorization: Basic mgr:mgrpw
  ... Content-Type: application/x-www-form-urlencoded
  ... Referer: http://localhost:8081/@@grant.html
  ... 
  ... field.principal=em9wZS5Bbnlib2R5"""
  ... """&field.em9wZS5Bbnlib2R5.permission.zope.View=unset"""
  ... """&field.em9wZS5Bbnlib2R5.permission.zope.app.dublincore.view=unset"""
  ... """&GRANT_SUBMIT=Change""")
  HTTP/1.1 200 Ok
  ...

  >>> print http(r"""
  ... POST /@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html HTTP/1.1
  ... Content-Length: 94
  ... Content-Type: application/x-www-form-urlencoded
  ... Cookie: zope3_cs_6a60902=cxcKJetHJjB2Px2umkzvTjeVI1E3aOpirHSjOYlxUPF.VX9DNjybrE
  ... Referer: http://localhost:8081/@@loginForm.html?camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html
  ... 
  ... login=bob&password=bob&SUBMIT=Log+in&camefrom=http%3A%2F%2Flocalhost%3A8081%2F%40%40index.html""")
  ...
  HTTP/1.1 303 See Other
  ...


  >>> print http(r"""
  ... GET / HTTP/1.1
  ... """)
  HTTP/1.1 303 See Other
  ...



Finally, we'll grant to everybody:

  >>> print http(r"""
  ... POST /@@grant.html HTTP/1.1
  ... Authorization: Basic mgr:mgrpw
  ... Content-Type: application/x-www-form-urlencoded
  ... 
  ... field.principal=em9wZS5FdmVyeWJvZHk_"""
  ... """&field.em9wZS5FdmVyeWJvZHk_.permission.zope.View=allow"""
  ... """&field.em9wZS5FdmVyeWJvZHk_.permission.zope.app.dublincore.view=allow"""
  ... """&GRANT_SUBMIT=Change""", handle_errors = False)
  HTTP/1.1 200 Ok
  ...

and both bob nor anonymous can access:

  >>> print http(r"""
  ... GET / HTTP/1.1
  ... Authorization: Basic bob:123
  ... """)
  HTTP/1.1 200 Ok
  ...

  >>> print http(r"""
  ... GET / HTTP/1.1
  ... """)
  HTTP/1.1 200 Ok
  ...
