[Zope] Re: BeforeDeleteException and FTP "530 Unauthorized" messages

Joseph Kocherhans jkocherhans at mac.com
Wed Mar 31 16:06:22 EST 2004


Well I've solved it for now. It smells hackish, but it seems to work 
well, and it's simple. At least I didn't have to patch any ZServer code ;)

I created a new Exception class:

     from OFS.ObjectManager import BeforeDeleteException
     class Unauthorized(BeforeDeleteException): pass

and the raised this new Unauthorized exception in manage_beforeDelete if 
  the permission check fails:

     user = getSecurityManager().getUser()
     if not user.has_permission(DeleteFiles, self):
        raise Unauthorized

This gives me the pretty "Insufficient Privileges" error in Plone and a 
"530 Unauthorized" error via FTP if I'm not allowed to delete the file. 
It also seems to abort the transaction if I'm trying to delete multiple 
files TTW, which is exactly what I wanted. FTP deletetion will go ahead 
for any allowed files since it carries out deletions one at a time. 
Somehow I doubt that all FTP clients handle folder deletion in the same 
way, so we'll see how that pans out.

Hopefully things will be easier in Zope3. This thread seems to give some 
hope anyhow. 
http://mail.zope.org/pipermail/zope3-dev/2004-January/009298.html

Joseph Kocherhans wrote:

> I've just spent a few hours digging around in ZServer and friends. I 
> haven't wrapped my head around everything, but the basic idea I get is 
> that if a user is not allowed to delete objects from a container, then 
> either an Unauthorized or Forbibben exception is raised (I'm still not 
> able to tell which). This is then translated to it's respective code 
> (401 or 403) and set as the status of an Response object. Then, in 
> FTPServer the 401 or 403 is returned to the ftp client as "530 
> Unauthorized"
> 
> I have a product that is using BeforeDeleteException to veto object 
> deletion. I would expect that when I tried to delete the object via FTP 
> that the ftp client would get "530 Unauthorized", but it gets nothing 
> and the BeforeDeleteException is going uncaught.
> 
> It seems to me that in ZServer the http response status is directly tied 
> to the exception type (either Unauthorized or Forbidden.) Does anyone 
> how I might go about geting the ftp server to return "530 Unauthorized" 
> if object deletion is vetoed with BeforeDeleteException? Or more 
> specifically how a BeforedDeleteException could change the response 
> status to 401 or 403 (which is more appropriate?) Also, is this a bug, 
> or is there some reason the BeforeDeleteException goes uncaught?
> 
> Any insight would be much appreciated.
> 
> Thanks,
> joseph
> 
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
> 




More information about the Zope mailing list