[#69] Forbid SetEACL operation if basic acl final

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
This commit is contained in:
Denis Kirillov 2022-09-20 17:03:16 +03:00 committed by Alex Vanin
parent 09e8196ed4
commit 630547d488

View file

@ -90,6 +90,11 @@ func (a *API) PutContainerEACL(params operations.PutContainerEACLParams, princip
return operations.NewPutContainerEACLBadRequest().WithPayload(resp)
}
if err = checkContainerExtendable(params.HTTPRequest.Context(), a.pool, cnrID); err != nil {
resp := a.logAndGetErrorResponse("check acl allowance", err)
return operations.NewPutContainerEACLBadRequest().WithPayload(resp)
}
st, err := formSessionTokenFromHeaders(principal, params.XBearerSignature, params.XBearerSignatureKey, sessionv2.ContainerVerbSetEACL)
if err != nil {
resp := a.logAndGetErrorResponse("invalid session token headers", err)
@ -220,11 +225,28 @@ func (a *API) DeleteContainer(params operations.DeleteContainerParams, principal
WithAccessControlAllowOrigin("*")
}
func getContainerInfo(ctx context.Context, p *pool.Pool, cnrID cid.ID) (*models.ContainerInfo, error) {
func checkContainerExtendable(ctx context.Context, p *pool.Pool, cnrID cid.ID) error {
cnr, err := getContainer(ctx, p, cnrID)
if err != nil {
return fmt.Errorf("get container: %w", err)
}
if !cnr.BasicACL().Extendable() {
return fmt.Errorf("container acl isn't extendable")
}
return nil
}
func getContainer(ctx context.Context, p *pool.Pool, cnrID cid.ID) (container.Container, error) {
var prm pool.PrmContainerGet
prm.SetContainerID(cnrID)
cnr, err := p.GetContainer(ctx, prm)
return p.GetContainer(ctx, prm)
}
func getContainerInfo(ctx context.Context, p *pool.Pool, cnrID cid.ID) (*models.ContainerInfo, error) {
cnr, err := getContainer(ctx, p, cnrID)
if err != nil {
return nil, err
}