[#1485] ir/container: Accept eACL only if extension is allowed
In order to extend container ACL `F` bit must be set in basic ACL. Make `Container` contract processor to deny eACL tables bound to non-extendable containers. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
af7d15cc1a
commit
0937513c14
2 changed files with 13 additions and 0 deletions
|
@ -3,6 +3,9 @@ Changelog for NeoFS Node
|
||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
- Confirmation of eACL tables by alphabet nodes when ACL extensibility is disabled (#1485)
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
- Replace pointers with raw structures in results for local storage (#1460)
|
- Replace pointers with raw structures in results for local storage (#1460)
|
||||||
|
|
||||||
|
|
|
@ -51,6 +51,16 @@ func (cp *Processor) checkSetEACL(e container.SetEACL) error {
|
||||||
return fmt.Errorf("could not receive the container: %w", err)
|
return fmt.Errorf("could not receive the container: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ACL extensions can be disabled by basic ACL, check it
|
||||||
|
basicACL := cnr.BasicACL()
|
||||||
|
const finalBitMask = 1 << 28
|
||||||
|
|
||||||
|
// Temp solution: NeoFS SDK is going to provide convenient interface to do this soon.
|
||||||
|
// This place won't be missed since BasicACL() signature will be changed.
|
||||||
|
if basicACL&finalBitMask == finalBitMask {
|
||||||
|
return errors.New("ACL extension disabled by container basic ACL")
|
||||||
|
}
|
||||||
|
|
||||||
ownerContainer := cnr.OwnerID()
|
ownerContainer := cnr.OwnerID()
|
||||||
if ownerContainer == nil {
|
if ownerContainer == nil {
|
||||||
return errors.New("missing container owner")
|
return errors.New("missing container owner")
|
||||||
|
|
Loading…
Reference in a new issue