DeleteFolderHandler Documentation
Overview
The DeleteFolderHandler class is an HTTP handler that enables authenticated users to delete
directories (folders) from their website's file structure. It provides a secure API endpoint
for recursive folder deletion operations initiated from the web-based file management interface.
Purpose
This handler is part of the multi-tenant hosting service's file management system, allowing
users to remove entire directories and their contents from their allocated storage space.
It ensures that only authenticated users can delete folders and that they can only do so
within their own account boundaries.
Core Functionality
This handler performs the following key operations:
1. Request Validation
- Only accepts POST requests
- Returns HTTP 403 (Forbidden) for non-POST methods
- Expects JSON payload containing the target folder path
- Validates that the path parameter is not empty
2. Authentication & Authorization
- Extracts and validates the session ID from the request via getJavaSessionId()
- Verifies the session through SessionManager.getUsername()
- Rejects requests with invalid or expired sessions (HTTP 403)
- Rejects requests with empty path parameters (HTTP 403)
- Ensures users can only delete folders within their own directory space
3. Path Construction
The handler builds the target directory path based on the authenticated user:
- Standard users: {USER_DIR}/{username}/static/{path}
- Administrator (ADMIN_HOST match): {ADMIN_DIR}/static/{path}
Where:
- USER_DIR is the base directory for user accounts (likely /home/lukas/users/)
- ADMIN_DIR is the special directory for administrative content (likely /home/lukas/JavaServerProject/www)
- {path} is the folder path provided in the JSON request body
4. Recursive Folder Deletion
- Calls the deleteFolder() helper method with the target path
- Performs recursive deletion, removing all files and subdirectories
- Returns boolean indicating success or failure of the operation
5. Response Messages
Returns a plain text response indicating the operation result:
- "Success": Folder and all its contents were successfully deleted
- "Fail": Folder deletion failed (could be due to permissions, non-existent path, or I/O errors)
Request Format
Method: POST
Content-Type: application/json
Body:
{
"path": "relative/folder/path"
}
The path value must not be empty and should be relative to the user's static
directory (e.g., "images/thumbnails" or "old-content").
Response Format
Content-Type: text/plain; charset=UTF-8
Body: Either "Success" or "Fail"
Response Codes
- 200 OK: Request was processed (check response body for success/failure)
- 403 Forbidden: Invalid session, non-POST request, or empty path parameter
Security Features
- Session-based authentication: All requests require valid session credentials
- User isolation: Users can only delete folders within their own directory structure
- Path scoping: Folder paths are always constructed relative to the user's base directory, preventing directory traversal attacks
- Administrator separation: Special handling for admin accounts with different base paths
- Empty path protection: Explicitly rejects requests with empty paths to prevent accidental deletion of the entire static directory
Error Handling
- Empty path: Logs "Rejected: Empty path" and returns 403 Forbidden
- Invalid session: Logs "Rejected: session not valid" and returns 403 Forbidden
- Non-POST request: Returns 403 Forbidden immediately
- Deletion failure: Returns "Fail" message with 200 status (handled by deleteFolder() method)
Logging
The handler provides console logging for debugging:
- Logs "Rejected: Empty path" when path parameter is empty
- Logs "Rejected: session not valid" when session validation fails
- Logs "Deleting: {path}" before attempting deletion
Use Cases
This handler is typically invoked when users:
- Remove entire directories of outdated content
- Clean up temporary or test directory structures
- Delete project folders that are no longer needed
- Remove entire sections of their website
- Reorganize content by removing old directory structures
Dependencies
This handler relies on:
- parseJsonToMap(): Converts JSON request body to a key-value map
- getJavaSessionId(): Extracts session identifier from the HTTP request
- SessionManager.getUsername(): Validates session and retrieves the authenticated username
- deleteFolder(): Helper method that performs recursive directory deletion
- USER_DIR: Constant defining the base directory for user accounts
- ADMIN_DIR: Constant defining the base directory for administrative content
- ADMIN_HOST: Constant identifying the administrator username
Behavior Notes
- Always returns HTTP 200 for valid authenticated requests with non-empty paths, regardless of deletion success (check response body for actual status)
- Performs recursive deletion - all files and subdirectories within the target folder are removed
- The response handling code is duplicated for both success and failure cases (both branches execute identical response logic)
- Empty path check prevents accidental deletion of the user's entire static directory
- Non-POST requests receive 403 Forbidden rather than 405 Method Not Allowed
Safety Considerations
⚠️ Warning: This handler performs recursive deletion, which is a destructive operation.
The empty path validation is critical to prevent catastrophic data loss. Consider implementing additional
safety measures such as:
- Confirmation dialogs in the client interface
- Audit logging of deletion operations
- Backup systems or soft-delete mechanisms
- Rate limiting to prevent abuse
flowchart TD
A(["Start handle"]) --> B{"Request method
== POST?"}
B -->|No| C["Send 403 Forbidden
Close response body"]
B -->|Yes| D["Read request body
with UTF-8 encoding"]
C --> Z(["End"])
D --> E["Parse JSON body
using parseJsonToMap"]
E --> F["Get sessionId via
getJavaSessionId(exchange)"]
F --> G["Get username from
SessionManager.getUsername(sessionId)"]
G --> H{"Username is null
OR path is empty?"}
H -->|Yes| I{"Path is empty?"}
H -->|No| J["Build path:
USER_DIR + user + /static/ + map.get(path)"]
I -->|Yes| K["Log: 'Rejected: Empty path'"]
I -->|No| L["Log: 'Rejected: session not valid'"]
K --> M["Send 403 Forbidden
Close response body"]
L --> M
M --> Z
J --> N{"Username ==
ADMIN_HOST?"}
N -->|Yes| O["Override path:
ADMIN_DIR + /static/ + map.get(path)"]
N -->|No| P["Keep user path"]
O --> Q["Log: 'Deleting: {path.toString()}'"]
P --> Q
Q --> R["Initialize msg = 'Fail'"]
R --> S["Call deleteFolder(Paths.get(path))"]
S --> T{"deleteFolder
returned true?"}
T -->|Yes| U["Set msg = 'Success'"]
T -->|No| V["msg remains 'Fail'"]
U --> W["Convert msg to bytes"]
V --> W
W --> X["Set Content-Type header:
text/plain; charset=UTF-8"]
X --> Y["Send 200 response
with response.length"]
Y --> AA["Write response bytes
to OutputStream"]
AA --> AB["Close OutputStream"]
AB --> Z