perl_access, 502 errors, and gracefully removing permissions

[Julien ÉLIE]

Hi David,

> However, now, when newsgroups readers who were previously subscribed to
> that newsgroup try to connect, they're having problems with the GROUP
> (or some other newsgroup access command) returns a "502 Read access
> denied" error.

That's a compliant generic answer.

   502:  It is necessary to terminate the connection and to start a new
         one with the appropriate authority before the command can be used.


We do not know whether a command is a given command (like "GROUP") or
a whole command with its possible arguments (like "GROUP news.group").
I assume it is a whole command line.



> tin 1.8.3 dies after connecting
>
> Thunderbird 3.1.2 Windows gives a popup: "A News (NNTP) error occurred:
> Read access denied" and it seems inconsistent when it is able to pull
> down other newsgroups versus that connection timing out.

That does not seem good.  Looks like a bug.
I have just contacted their authors to ask for information.



> I tested telnetting into the news server on port 119.  A 502 error on
> the GROUP command does not terminate the connection (which seems to
> follow the RFC), but it looks like some readers just can't handle that
> code in that place.

Just to be sure:  is the newsgroup listed in response to "LIST ACTIVE"?
(or "LIST ACTIVE newsgroup")

My guess is that they are not listed.  Do you confirm?
It would then be strange that tin or Thunderbird do not remove the
newsgroup from the available list of newsgroups.  There is something
I do not understand.  Do they probe them and expect a 411 answer?!?

Well, we could answer 411 for them instead of 502.
It depends on the amount of information we want to give.  I still believe
that 502 is better because 502 contains a useful information (the group
does exist and one has to authenticate in some way).

In our wishlist, there is for instance:
    http://inn.eyrie.org/trac/ticket/46



> The obvious solution is to remove the restricted newsgroup from the
> reader's newsrc.  That works well enough.  But the errors aren't obvious
> (even on which newsgroup is causing the problem), and that means helping
> a lot of people update their news config.  I also see this as a
> potential future repeating event (this semester we have this newsgroup,
> next semester its access goes away, etc.), so I'm looking for a
> scalable/supportable solution.

Of course that solution is not satisfying.



> Any suggestions for a server-based way to restrict access to this group
> without causing problems with previously subscribed newsreaders?

No idea, sorry.
I see that python_dynamic behaves the same way and answers 502 to GROUP.

Maybe other people here will have an idea for your problem.



> I wonder if the scenario would be different if the GROUP command returned
> a "411 No such group" to newsgroups not listed in the read part of
> perl_access?

Probably.



> What's the "normal way" to handle newsgroups that go away?

The way you did.

-- 
Julien ÉLIE

« Pour une personne optimiste, le verre est à moitié plein.
  Pour une personne pessimiste, il est à moitié vide.
  Pour l'informaticien, il est deux fois plus grand que nécessaire. »