what is Zope supposed to do, when there are conflicting security annotations applied to an object?
That depends on the implementation of your security policy. It decides if a principal has a permission for a given context or not.
I'd like to make an object inaccessible - except for members of a given role. This is how it should look like: grantPermissionToRole('zope.View','role.admins',Allow) denyPermissionToRole('zope.View','zope.Anybody',Deny) Is this possible?
The zope.app.securitypolicy.interfaces.IRolePermissionManager adapter seems to do what you want. The spelling is essentially the same except for that redudant third parameter. Use IPrincipalPermissionManager if you want to grant/deny permissions to a principal (or group).
If not, why? Maybe there's a more elegant solution? 'zope.Anybody' is defined as a "group" in etc/principals.zcml. Can I use it like a role?
No. Groups are principals which means you can grant or deny permissions to all principals within that group by working on the group.
Is there a role, any anonymous user *and* any authenticated user is automagically assigned to?
Not that I know of, but I figure you could easily make one that is. Of course, you could always use the zope.Anybody group to represent all principals. I think groups are the more sensible thing to use here.
-- http://worldcookery.com -- Professional Zope documentation and training _______________________________________________ Zope3-users mailing list Zope3email@example.com http://mail.zope.org/mailman/listinfo/zope3-users