[Grok-dev] [Zope-dev] Grok 1.0 released!

Justin Fletcher jyfletcher at gmail.com
Tue Oct 13 11:22:50 EDT 2009 

Martijn Faassen wrote:
> Hey,
> 
> Yay! Zope's caveman spin-off, Grok, finally got its 1.0 release today!
> 
> http://grok.zope.org
> 
> Thanks should also go to all Zope hackers for helping to provide the 
> foundation for Grok!
> 
> Regards,
> 
> Martijn
> 


Hello,

Replying to the zope-dev announcement, but on grok-dev since it seems 
more appropriate.  I wasn't subscribed to this list, though I should 
have been. ;-)

First, I should say thanks for all the hard work everyone put into this 
release.

I have an application where, after an upgrade to 1.0 from 1.0a4, I have 
problems like mentioned here:
https://mail.zope.org/pipermail/grok-dev/2009-October/008787.html

I just now saw that message and I see the workaround, but since I did 
not see it earlier I went about fixing it in another way.  I did not see 
a solution to the problem yet, so if there is not one then maybe this 
will provide further insight:


What I have first is to manually add zope.View permission to a principal 
or else I get the Unauthorized issue on any non-restricted Views (views 
withouth grok.require()).

For example, before I had only this:
         perm_man.grantPermissionToPrincipal('mysite.sitemanager',
                 principals.prefix + 'manager')

and after I add this:
         perm_man.grantPermissionToPrincipal('zope.View',
                 principals.prefix + 'manager')

and the problem goes away.

So it made me think that the zope.View permission is not given to 
authenticated users, which makes some sense because in site.zcml 
zope.Anybody is the name for "unauthenticatedGroup".

Just to try it out, I removed the extra grantPermissionTo.. code and 
added this to site.zcml:
<grant permission="zope.View" principal="zope.Everybody" />

I redeployed the app, recreated the principal and it works.

Is this a legit fix?  Or will it break other things / open security 
holes, etc?  Would it be better to grant zope.View permission to 
zope.Anybody and zope.Authenticated instead of zope.Everybody?


Thanks,
-Justin

More information about the Grok-dev mailing list