From 7e3ea77fdf5bc219992b05146726dadeea114f22 Mon Sep 17 00:00:00 2001
From: P R <25353498+BigUstad@users.noreply.github.com>
Date: Wed, 6 May 2020 21:31:44 -0700
Subject: [PATCH] Checking for access denied in web browser request. (#9523)

Fixes #9485
---
 cmd/typed-errors.go | 3 +++
 cmd/web-handlers.go | 5 ++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/cmd/typed-errors.go b/cmd/typed-errors.go
index 254a4641b..8b9a941e7 100644
--- a/cmd/typed-errors.go
+++ b/cmd/typed-errors.go
@@ -92,3 +92,6 @@ var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed und
 
 // error returned when access is denied.
 var errAccessDenied = errors.New("Do not have enough permissions to access this resource")
+
+// error returned when object is locked.
+var errLockedObject = errors.New("Object is WORM protected and cannot be overwritten or deleted")
diff --git a/cmd/web-handlers.go b/cmd/web-handlers.go
index 91a5511e7..5a2acb227 100644
--- a/cmd/web-handlers.go
+++ b/cmd/web-handlers.go
@@ -719,6 +719,9 @@ next:
 			}
 
 			apiErr := enforceRetentionBypassForDeleteWeb(ctx, r, args.BucketName, objectName, getObjectInfo, govBypassPerms)
+			if apiErr == ErrObjectLocked {
+				return toJSONError(ctx, errLockedObject)
+			}
 			if apiErr != ErrNone && apiErr != ErrNoSuchKey {
 				return toJSONError(ctx, errAccessDenied)
 			}
@@ -2140,7 +2143,7 @@ func toWebAPIError(ctx context.Context, err error) APIError {
 			Description:    err.Error(),
 		}
 	case errAuthentication, auth.ErrInvalidAccessKeyLength,
-		auth.ErrInvalidSecretKeyLength, errInvalidAccessKeyID:
+		auth.ErrInvalidSecretKeyLength, errInvalidAccessKeyID, errAccessDenied, errLockedObject:
 		return APIError{
 			Code:           "AccessDenied",
 			HTTPStatusCode: http.StatusForbidden,