how to generate custom 403 HTTP responses in Plone (prevent redirect)

Question

Upon unauthorized access, Plone by default provides a redirect to login form. I need to prevent this for certain subpaths (ie. not globally), and instead return 403 Forbidden, with a custom (short) HTML page, after the (otherwise) normal Plone authentication & authorization has taken place.

I looked into ITraversable but using that takes place too early in the request processing chain - ie. before auth etc.

One possible yet unexplored method is having a custom view injected to URL path that performs auth checks on the object that maps to the remaining subpath. So there could be a request with URL something like http://myplone/somepath/customview/withcustom403, where:

The customview view implements IPublishTraverse, and its publishTraverse() returns itself
The same view then next validates, in its __call__ method, the access to withcustom403 object, ie. by calling getSecurityManager().validate()
If validation fails, the view sets response to 403 and returns the custom HTML

Would this work? Or is there some event triggered after auth takes place, but before Plone calls response.Unauthorized() (triggering redirect), that would provide a cleaner solution?

This is for current Plone 4.3.4.

Related: http://stackoverflow.com/questions/6351610/make-plone-give-proper-403-forbidden-errors — Petri, Mar 16 '15 at 09:16

score 2 · Accepted Answer · answered Mar 05 '15 at 22:45

You could create a new PAS Challenge plugin based on the acl_users/credentials_cookie_auth plugin and make sure to move it to the top of the Challenge plugins in acl_users.

Or maybe use a monkey patch to change the current plugin. For demonstration purposes only, you can edit Products/PluggableAuthService/plugins/CookieAuthHelper.py. In the unauthorized method, you will see these lines:

url = '%s%scame_from=%s' % (url, sep, quote(came_from))
resp.redirect(url, lock=1)

Before those lines, add two lines to prevent unauthorized access to any resource that has nogo in its url:

if 'nogo' in came_from:
    return 1

If you create your own plugin, check the setupAuthPlugins function in Products/PlonePAS/Extensions/Install.py for a way to install it if you do not want to do it by hand.

BTW there's now a PAS plugin that only redirects to login form if the UA is a browser: https://pypi.python.org/pypi/koodaamo.pas.browseronlyredirect/ — Petri, Aug 24 '15 at 10:04

score 0 · Answer 2 · answered Mar 04 '15 at 18:45

0

You could override Products/CMFPlone/skins/plone_login/require_login.py and add any logic that you want there to give a custom response.

Or bypass require_login completely and use an own browser view to handle this. In your Plone Site go to acl_users/credentials_cookie_auth/manage_propertiesForm and for the Login Form property replace require_login with your browser view name.

answered Mar 04 '15 at 18:45

maurits

2,355
13
16

Thanks for the idea. However it seems the redirect has at this point already taken place? – Petri Mar 05 '15 at 07:40
True. Let me suggest another approach in a different answer. – maurits Mar 05 '15 at 22:32

how to generate custom 403 HTTP responses in Plone (prevent redirect)

2 Answers2