Plone sends user to error page instead of a normal access denied/403 page

Any idea why plone goes to an error page instead of an access denied page? is this normal plone functionality?

...maybe because the error isn't about permissions?

This is "normal" although it's wrong IMHO.
I agree with you: forbidden is not an error.

I opened an issue about this... somewhere (I can't find it).

Maybe it's a security-feauture and not a bug? "Access denied" reveals that an object behind the address exists, sometimes one doesn't want this info to be available. (Wild guess)

@pe82 Which error do you get, a 404?

The log says it is permissions:

2017-06-20 17:15:10 DEBUG ImplPython Unauthorized: Your user account does not have the required permission. Access to 'manage' of (PloneSite at /intranet) denied. Your user account, USER987 , exists at /intranet/acl_users. Access requires View_management_screens_Permission, granted to the following roles: ['Manager', 'Owner']. Your roles in this context are ['Authenticated', u'Reader'].

So since this is "normal" for plone, does anyone know how to actually change it to a 403/access denied page?

It is actually a 401 error it seems... but it is showing an error page! Any ideas on how to change this to a proper page? It here a place in zmi that I can change it or how would you do it?

At least the resolution of the error is written in the msg: Assign the Manager- and the Owner-role to the user(s), or grant access for users holding the Reader-role.

For customizing the 401-view, suggesting to continue the discussion in the ticket keul opened.

True but I think he enabled verbose security to see those details, and he shouldn't run with that enabled normally.

1 Like

True, verbose security is on in dev env to see that message, but off in production so it only shows an error to the user. We don't want all users to have permission. There are some users that should not have permission, that's why we want to show them a page that tells them they do not have permission or maybe redirect them to another page.

Since this bug has not been addressed for more than a year, I am trying to go at it from my webserver. Hopefully a rewriterule on apache or similar would fix it. I'll keep you posted.

The mapping from error numbers (more precisely "HTTP resonse codes") to error pages is usually done in the web server.

A 401 response usually does not lead to an error number but results in the browser's login dialog. Some special configuration is active that you see an error page (likeliy in the web server).

1 Like

Yeah, I removed the www-authenticate header, because of another plone bug -- sorry... "feature" lol...

If the logs are not showing an error, why do you insist it is an error? Stripping the www-authenticate header doesn't magically make it an error. Also, even with the headers untouched I get the same error page.