From d7f77ce8748f1423371e87b0917eab5f6596c291 Mon Sep 17 00:00:00 2001
From: Alex Vanin <alexey@nspcc.ru>
Date: Thu, 21 Jul 2022 16:06:52 +0300
Subject: [PATCH] [#574] Produce deny records for private objects in
 put-object-acl

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
---
 api/handler/acl.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/api/handler/acl.go b/api/handler/acl.go
index 7befb298..36a5de61 100644
--- a/api/handler/acl.go
+++ b/api/handler/acl.go
@@ -1149,6 +1149,19 @@ func aclToAst(acl *AccessControlPolicy, resInfo *resourceInfo) (*ast, error) {
 		ops = append(ops, writeOps...)
 	}
 
+	// Expect to have at least 1 full control grant for owner which is set in
+	// parseACLHeaders(). If there is no other grants, then user sets private
+	// canned ACL, which is processed in this branch.
+	if len(acl.AccessControlList) < 2 {
+		for _, op := range ops {
+			operation := &astOperation{
+				Op:     op,
+				Action: eacl.ActionDeny,
+			}
+			resource.Operations = append(resource.Operations, operation)
+		}
+	}
+
 	for _, op := range ops {
 		operation := &astOperation{
 			Users:  []string{acl.Owner.ID},