Hi,
Just an idea for the web2p auth system, why not introduce a standard group 'public' which is assigned to all visitors (not only logged in users) The main advantage of this would be, that you in an easy way can change all access rights for all requests. By (allways) using the has_permission decorator / and granting (or deny) access to the 'public' group you can also controll what not logged in users can see. By not assigning any rights to a public group / and not including the decorator in all places it would also be backward compatible with older versions.. Looks like an easy change to me (in our setup, we override the permission check of web2py, and allwasy add a 'public' group to the list)..
