Posts tagged 'http'

Members can’t add folders to Plone via WebDAV (401 Unauthorized)

This is a mirror of the (excellent) documentation at, but just a short editorial to also highlight that this is still very applicable to Plone 4.x. Effectively, the symptom is that users will report seeing a “401 Unauthorized” error when trying to create folders within areas they have access to as an Owner.  Without further ado, the documentation:

Using a WebDAV client on a Plone site, site users are unable to create newfolders directories where they have Owner role.


The WebDAV “make folder” method, MKCOL, requires the “Add Folders” permission. This is …

Adding a return URL during logout with CAS

CAS (Central Authentication Service) is a single-sign-on service (say that several times quickly) and through accessing a CAS /logout URL, as an application, you’re able to log the given user out.  What wasn’t clear (by Googling) was whether there’s a possibility to redirect the user back to the original application (or a given URL).  I now know, thanks to the CAS Protocol Documentation (section 2.3), that any posts that mention adding ?service=http://my.url/ to the /logout URL are incorrect, as this isn’t a valid parameter (at least not at time of writing).

However …

Disabling caching for sensitive web pages (aka how to prevent logged out users going ‘back’)

We all see web pages like Internet banking, HR systems, email, and more that allow you to log in, do something and load pages, log out, and then prevent you from using your browser’s history to see that sensitive information.  I’m amazed that in my searches I couldn’t quickly find a definitive source of information on how to achieve this.  Pages across the web in a search for ‘stop caching’ range from blog posts, to forum posts, to other pages, and people asking the question (try it: here, or maybe here).

Maybe I got unlucky, but finding …

Checking Plone REQUEST for Ajax’d requests (XMLHttpRequest)

Recently, I’ve needed a PloneFormGen (PFG) form of mine to have certain fields excluded when the form is displayed in one of Plone 4’s fancy popups.  At the same time, I need this field to still persist within the ‘standard’ view of the form.  It’s the request object to the rescue, and all I’ve had to do is insert this TALES expression against the Enabling Expression for my PFG field:

python:request.environ.get('HTTP_X_REQUESTED_WITH') != 'XMLHttpRequest'

and the end result is that unless the request is one of XMLHttpRequest, then we’ll show the field.

Shouldn …

Apache: Directories and trailing slashes

Apache does something interesting (yes, I still think it’s logical) when you’re accessing a directory that it’s serving: if you access it without a trailing slash, it’ll add one by default. This makes sense if you’re going after some static content or a folder index (or pretty much any sane usage) but it didn’t fit my use case of serving Plone using rewrite rules in a .htaccess file.

The issue that arises for myself with Plone is that my sites need to have their access customised through that .htaccess file and that’s been …