Redirect to nearest public ancestor if page is private.

Products/AutoUserMakerPASPlugin/auth.py

@@ -23,6 +23,7 @@
 from Products.PluggableAuthService.utils import classImplements
 from random import choice
 from ZODB.POSException import ConflictError
+from zope.security import checkPermission
 
 import itertools
 import re
@@ -268,7 +269,33 @@ def loginUrl(self, currentUrl):
     def challenge(self, request, response):
         # Just Start a challenge, if not logged yet
         if request.getHeader(httpRemoteUserKey, None) == None:
-            url = self.loginUrl(request.ACTUAL_URL)
+            url = None
+
+            # try to redirect to a public parent
+            parents = request.get('PARENTS', [])
+
+            # the first element is the object itself. so we skip that.
+            if len(parents) > 1:
+                public_parent = None
+
+                obj = parents[0]
+                anon_redirect_link = getattr(obj, 'anon_redirect_link', None)
+                if anon_redirect_link:
+                    response.redirect(anon_redirect_link, lock=True)
+                    return True
+
+                for parent in parents[1:]:
+                    perm = checkPermission('zope2.View', parent)
+                    if perm:
+                        public_parent = parent
+                        break
+
+                if public_parent:
+                    url = public_parent.absolute_url()
+
+            # redirect to login-view if no parents found.
+            if not url:
+                url = self.loginUrl(request.ACTUAL_URL)
             if url:
                 response.redirect(url, lock=True)
                 return True