[#574] Produce deny records for private objects in put-object-acl

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
Alex Vanin 2022-07-21 16:06:52 +03:00 committed by Alex Vanin
parent 66fe3fee7b
commit d7f77ce874

View file

@ -1149,6 +1149,19 @@ func aclToAst(acl *AccessControlPolicy, resInfo *resourceInfo) (*ast, error) {
ops = append(ops, writeOps...)
}
// Expect to have at least 1 full control grant for owner which is set in
// parseACLHeaders(). If there is no other grants, then user sets private
// canned ACL, which is processed in this branch.
if len(acl.AccessControlList) < 2 {
for _, op := range ops {
operation := &astOperation{
Op: op,
Action: eacl.ActionDeny,
}
resource.Operations = append(resource.Operations, operation)
}
}
for _, op := range ops {
operation := &astOperation{
Users: []string{acl.Owner.ID},