[#1485] ir/container: Accept eACL only if extension is allowed
In order to extend container ACL `F` bit must be set in basic ACL. Make `Container` contract processor to deny eACL tables bound to non-extendable containers. Signed-off-by: Leonard Lyubich <leonard@nspcc.ru>
This commit is contained in:
parent
af7d15cc1a
commit
0937513c14
2 changed files with 13 additions and 0 deletions
|
@ -3,6 +3,9 @@ Changelog for NeoFS Node
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
### Fixed
|
||||
- Confirmation of eACL tables by alphabet nodes when ACL extensibility is disabled (#1485)
|
||||
|
||||
### Changed
|
||||
- Replace pointers with raw structures in results for local storage (#1460)
|
||||
|
||||
|
|
|
@ -51,6 +51,16 @@ func (cp *Processor) checkSetEACL(e container.SetEACL) error {
|
|||
return fmt.Errorf("could not receive the container: %w", err)
|
||||
}
|
||||
|
||||
// ACL extensions can be disabled by basic ACL, check it
|
||||
basicACL := cnr.BasicACL()
|
||||
const finalBitMask = 1 << 28
|
||||
|
||||
// Temp solution: NeoFS SDK is going to provide convenient interface to do this soon.
|
||||
// This place won't be missed since BasicACL() signature will be changed.
|
||||
if basicACL&finalBitMask == finalBitMask {
|
||||
return errors.New("ACL extension disabled by container basic ACL")
|
||||
}
|
||||
|
||||
ownerContainer := cnr.OwnerID()
|
||||
if ownerContainer == nil {
|
||||
return errors.New("missing container owner")
|
||||
|
|
Loading…
Reference in a new issue