After exploring a few different options I have come to the conclusion that the most seamless way to allow securing of viewing content is to create a new part that either inherits or extends the Body part. I basically want everything the Body part has, plus
the ability to attach (for now) a single Role ID (defaulting to "Authenticated") to control who can and can't view the content.
The plan is to then change the Driver.Display() method to return some "Access denied" HTML content instead of the requested HTML if the current user doesn't meet the role restriction.
My question to the developers: is this the best approach?
Please note that I initially tried to create a "content filter" part that could be added to existing content types, but could find no way to cancel/override the display of the page. All I could do was stop the display of my own part (where I was
showing the Role ID for debug purposes).
I also explored the AuthorizationServiceEventHandler (prior to 0.8 release) but the IAuthorizationService.TryCheckAccess() method only seems to be used by Admin pages.