diff --git a/edbob/db/auth.py b/edbob/db/auth.py
index 9209013..7506cea 100644
--- a/edbob/db/auth.py
+++ b/edbob/db/auth.py
@@ -78,7 +78,22 @@ def administrator_role(session):
     return admin
 
 
-def has_permission(obj, perm):
+def guest_role(session):
+    """
+    Returns the "Guest" :class:`edbob.Role` instance, attached to the given
+    ``session``.
+    """
+
+    uuid = 'f8a27c98965a11dfaff7001143047286'
+    admin = session.query(edbob.Role).get(uuid)
+    if admin:
+        return admin
+    admin = edbob.Role(uuid=uuid, name='Guest')
+    session.add(admin)
+    return admin
+
+
+def has_permission(obj, perm, session=None):
     """
     Checks the given ``obj`` (which may be either a :class:`edbob.User`` or
     :class:`edbob.Role` instance), and returns a boolean indicating whether or
@@ -90,11 +105,15 @@ def has_permission(obj, perm):
         roles = obj.roles
     elif isinstance(obj, edbob.Role):
         roles = [obj]
+    elif obj is None:
+        roles = []
     else:
         raise TypeError("You must pass either a User or Role for 'obj'; got: %s" % repr(obj))
-    session = object_session(obj)
-    assert session
+    if not session:
+        session = object_session(obj)
+        assert session
     admin = administrator_role(session)
+    roles.append(guest_role(session))
     for role in roles:
         if role is admin:
             return True
diff --git a/edbob/pyramid/auth.py b/edbob/pyramid/auth.py
index 803f45c..339392b 100644
--- a/edbob/pyramid/auth.py
+++ b/edbob/pyramid/auth.py
@@ -51,6 +51,8 @@ class EdbobAuthorizationPolicy(object):
                 user = Session.query(edbob.User).get(userid)
                 assert user
                 return has_permission(user, permission)
+        if Everyone in principals:
+            return has_permission(None, permission, session=Session())
         return False
 
     def principals_allowed_by_permission(self, context, permission):