Access control in Grok is extremely easy.

When defining a view or viewlet, one may protect it by specifying the grok.requires() directive.  grok.requires() may take as an argument either text, or a grok.Permission class.

All permission strings by convention start with a prefix; the basic zope permissions have a 'zope.' prefix, while our wiki uses the 'gfn.' prefix.  For example, the Administering permission has a text equivalent of 'gfn.administering'.

When protecting viewlets, those viewlets which are not allowed for the current principal are simply not rendered.  For protected views on the other hand, the security mechanism will render the login page instead of the view, and after accepting credentials will redirect to the original page.

For views or viewlets which should be accessable to anybody, one should use the permission 'zope.Public':

class Status(grok.Viewlet):
    ''' Renders the login form in Authentication area for layout
    '''
    grok.context(ILayout)
    grok.viewletmanager(AuthSection)
    grok.require('zope.Public')
...

For views which should be resticted, specify the needed permission:

import permissions as gfn

class EditPrincipalForm(grok.EditForm):
    ''' A form that allows creation, editing and deletion of principals. '''
    grok.context(Users)          # view available as URL: 'appname/editprincipal'
    grok.require(gfn.Administering)    # Permission requirement

...which is equivalent to:

class EditPrincipalForm(grok.EditForm):
    ''' A form that allows creation, editing and deletion of principals. '''
    grok.context(Users)          # view available as URL: 'appname/editprincipal'
    grok.require('gfn.administering')    # Permission requirement

To manually check a permission for the current user, one may use a request.interaction.checkPermission.  For examples:

    def isEditable(self):
        i = self.request.interaction
        if not i.checkPermission('gfn.editing', self.context):
            return False
        return True