BeforeDeleteException and FTP "530 Unauthorized" messages
I've just spent a few hours digging around in ZServer and friends. I haven't wrapped my head around everything, but the basic idea I get is that if a user is not allowed to delete objects from a container, then either an Unauthorized or Forbibben exception is raised (I'm still not able to tell which). This is then translated to it's respective code (401 or 403) and set as the status of an Response object. Then, in FTPServer the 401 or 403 is returned to the ftp client as "530 Unauthorized" I have a product that is using BeforeDeleteException to veto object deletion. I would expect that when I tried to delete the object via FTP that the ftp client would get "530 Unauthorized", but it gets nothing and the BeforeDeleteException is going uncaught. It seems to me that in ZServer the http response status is directly tied to the exception type (either Unauthorized or Forbidden.) Does anyone how I might go about geting the ftp server to return "530 Unauthorized" if object deletion is vetoed with BeforeDeleteException? Or more specifically how a BeforedDeleteException could change the response status to 401 or 403 (which is more appropriate?) Also, is this a bug, or is there some reason the BeforeDeleteException goes uncaught? Any insight would be much appreciated. Thanks, joseph
Well I've solved it for now. It smells hackish, but it seems to work well, and it's simple. At least I didn't have to patch any ZServer code ;) I created a new Exception class: from OFS.ObjectManager import BeforeDeleteException class Unauthorized(BeforeDeleteException): pass and the raised this new Unauthorized exception in manage_beforeDelete if the permission check fails: user = getSecurityManager().getUser() if not user.has_permission(DeleteFiles, self): raise Unauthorized This gives me the pretty "Insufficient Privileges" error in Plone and a "530 Unauthorized" error via FTP if I'm not allowed to delete the file. It also seems to abort the transaction if I'm trying to delete multiple files TTW, which is exactly what I wanted. FTP deletetion will go ahead for any allowed files since it carries out deletions one at a time. Somehow I doubt that all FTP clients handle folder deletion in the same way, so we'll see how that pans out. Hopefully things will be easier in Zope3. This thread seems to give some hope anyhow. http://mail.zope.org/pipermail/zope3-dev/2004-January/009298.html Joseph Kocherhans wrote:
I've just spent a few hours digging around in ZServer and friends. I haven't wrapped my head around everything, but the basic idea I get is that if a user is not allowed to delete objects from a container, then either an Unauthorized or Forbibben exception is raised (I'm still not able to tell which). This is then translated to it's respective code (401 or 403) and set as the status of an Response object. Then, in FTPServer the 401 or 403 is returned to the ftp client as "530 Unauthorized"
I have a product that is using BeforeDeleteException to veto object deletion. I would expect that when I tried to delete the object via FTP that the ftp client would get "530 Unauthorized", but it gets nothing and the BeforeDeleteException is going uncaught.
It seems to me that in ZServer the http response status is directly tied to the exception type (either Unauthorized or Forbidden.) Does anyone how I might go about geting the ftp server to return "530 Unauthorized" if object deletion is vetoed with BeforeDeleteException? Or more specifically how a BeforedDeleteException could change the response status to 401 or 403 (which is more appropriate?) Also, is this a bug, or is there some reason the BeforeDeleteException goes uncaught?
Any insight would be much appreciated.
Thanks, joseph
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
This looks interesting to say the least, perhaps you could put it in the collector and someone might look at it some time? Chris Joseph Kocherhans wrote:
Well I've solved it for now. It smells hackish, but it seems to work well, and it's simple. At least I didn't have to patch any ZServer code ;)
I created a new Exception class:
from OFS.ObjectManager import BeforeDeleteException class Unauthorized(BeforeDeleteException): pass
and the raised this new Unauthorized exception in manage_beforeDelete if the permission check fails:
user = getSecurityManager().getUser() if not user.has_permission(DeleteFiles, self): raise Unauthorized
This gives me the pretty "Insufficient Privileges" error in Plone and a "530 Unauthorized" error via FTP if I'm not allowed to delete the file. It also seems to abort the transaction if I'm trying to delete multiple files TTW, which is exactly what I wanted. FTP deletetion will go ahead for any allowed files since it carries out deletions one at a time. Somehow I doubt that all FTP clients handle folder deletion in the same way, so we'll see how that pans out.
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Joseph Kocherhans wrote at 2004-3-30 18:30 -0700:
... It seems to me that in ZServer the http response status is directly tied to the exception type (either Unauthorized or Forbidden.) Does anyone how I might go about geting the ftp server to return "530 Unauthorized" if object deletion is vetoed with BeforeDeleteException? Or more specifically how a BeforedDeleteException could change the response status to 401 or 403 (which is more appropriate?) Also, is this a bug, or is there some reason the BeforeDeleteException goes uncaught?
Any insight would be much appreciated.
I fear, you will need to change some code... -- Dieter
participants (3)
-
Chris Withers -
Dieter Maurer -
Joseph Kocherhans