Restricted access to Plone 6 classic sites

Let's say I have a site and want to restrict access to the content of the site to authenticated and authorized users (i.e. they have the Authenticated and Member roles). This would primarily be for sites that behave as extranets.

In Plone 5 I could change the workflow of all content so that the Member role was required for the View permission on everything. Going to the home page triggers a redirect to login. But you could still make it so that the root portal object itself gave "View" to the Anonymous role, so that they could have access to css resources, etc.

In Plone 6 the front page is no longer a content item, or at least it doesn't have workflow. As far as I can tell the only way to restrict access to it would be to require the Member role on the portal root object itself. But this has the side effect that if you use Plone to login that login form will not be able to even load any css.

Am I thinking about this correctly? I'm not sure if this is a problem for my team per se because we normally use SSO and require authentication on the Apache end, but if you are using Plone's login service on an extranet it seems like a problem.

But you can choose a custom content object as default page.
Besides the workflow option (intranet workflow etc.), why not revoke View from Anonynmous User on the root level?

True, I could set another content object as the default to mimic the old behavior.

Because this also removes access to the portal_registry and when they are prompted for credentials the login form does not have any css. Ultimately it would be nice to distinguish between access to content and access to css/theme.

Btw., in Plone 5, in locked down sites, I always created some root folder. Then I can provide pages on the root level with public instructions or whatever was required.

Or install and use the LRF as the restricted base of all.

Might iw.rejectanonymous ยท PyPI be useful for you?

Thanks, that looks promising. Probably a small amount of work to figure out which resource ids are needed for Plone 6 and for custom themes, but looks like that is easy to do with this tool's API.