check errors

1 files changed, 10 insertions, 0 deletions

diff --git a/weed/s3api/s3api_object_handlers_copy_unified.go b/weed/s3api/s3api_object_handlers_copy_unified.go
index d11594420..255c3eb2d 100644
--- a/weed/s3api/s3api_object_handlers_copy_unified.go
+++ b/weed/s3api/s3api_object_handlers_copy_unified.go
@@ -2,12 +2,14 @@ package s3api
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"
 
 	"github.com/seaweedfs/seaweedfs/weed/glog"
 	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
+	weed_server "github.com/seaweedfs/seaweedfs/weed/server"
 )
 
 // executeUnifiedCopyStrategy executes the appropriate copy strategy based on encryption state
@@ -76,6 +78,14 @@ func (s3a *S3ApiServer) mapCopyErrorToS3Error(err error) s3err.ErrorCode {
 		return s3err.ErrNone
 	}
 
+	// Check for read-only errors (quota enforcement)
+	// Uses errors.Is() to properly detect wrapped errors
+	if errors.Is(err, weed_server.ErrReadOnly) {
+		// Bucket is read-only due to quota enforcement or other configuration
+		// Return 403 Forbidden per S3 semantics (similar to MinIO's quota enforcement)
+		return s3err.ErrAccessDenied
+	}
+
 	// Check for KMS errors first
 	if kmsErr := MapKMSErrorToS3Error(err); kmsErr != s3err.ErrInvalidRequest {
 		return kmsErr