diff --git a/api/handler/acl_test.go b/api/handler/acl_test.go index 8bb6a06..14b3cf4 100644 --- a/api/handler/acl_test.go +++ b/api/handler/acl_test.go @@ -191,6 +191,7 @@ func TestDeleteBucketWithPolicy(t *testing.T) { require.Len(t, hc.h.ape.(*apeMock).policyMap, 1) require.Len(t, hc.h.ape.(*apeMock).chainMap[engine.ContainerTarget(bi.CID.EncodeToString())], 4) + hc.owner = bi.Owner deleteBucket(t, hc, bktName, http.StatusNoContent) require.Empty(t, hc.h.ape.(*apeMock).policyMap) diff --git a/api/handler/delete.go b/api/handler/delete.go index fe2be32..086096a 100644 --- a/api/handler/delete.go +++ b/api/handler/delete.go @@ -244,6 +244,11 @@ func (h *handler) DeleteBucketHandler(w http.ResponseWriter, r *http.Request) { return } + if reqInfo.User != bktInfo.Owner.String() { + h.logAndSendError(w, "request owner id does not match bucket owner id", reqInfo, errors.GetAPIError(errors.ErrAccessDenied)) + return + } + var sessionToken *session.Container boxData, err := middleware.GetBoxData(r.Context()) diff --git a/api/handler/delete_test.go b/api/handler/delete_test.go index 80d23c8..68fdbb5 100644 --- a/api/handler/delete_test.go +++ b/api/handler/delete_test.go @@ -37,6 +37,7 @@ func TestDeleteBucketOnAlreadyRemovedError(t *testing.T) { deleteObjects(t, hc, bktName, [][2]string{{objName, emptyVersion}}) + hc.owner = bktInfo.Owner deleteBucket(t, hc, bktName, http.StatusNoContent) } @@ -53,11 +54,12 @@ func TestDeleteBucket(t *testing.T) { tc := prepareHandlerContext(t) bktName, objName := "bucket-for-removal", "object-to-delete" - _, objInfo := createVersionedBucketAndObject(t, tc, bktName, objName) + bktInfo, objInfo := createVersionedBucketAndObject(t, tc, bktName, objName) deleteMarkerVersion, isDeleteMarker := deleteObject(t, tc, bktName, objName, emptyVersion) require.True(t, isDeleteMarker) + tc.owner = bktInfo.Owner deleteBucket(t, tc, bktName, http.StatusConflict) deleteObject(t, tc, bktName, objName, objInfo.VersionID()) deleteBucket(t, tc, bktName, http.StatusConflict) @@ -82,6 +84,7 @@ func TestDeleteBucketOnNotFoundError(t *testing.T) { deleteObjects(t, hc, bktName, [][2]string{{objName, emptyVersion}}) + hc.owner = bktInfo.Owner deleteBucket(t, hc, bktName, http.StatusNoContent) } @@ -99,6 +102,7 @@ func TestForceDeleteBucket(t *testing.T) { addr.SetContainer(bktInfo.CID) addr.SetObject(nodeVersion.OID) + hc.owner = bktInfo.Owner deleteBucketForce(t, hc, bktName, http.StatusConflict, "false") deleteBucketForce(t, hc, bktName, http.StatusNoContent, "true") } @@ -457,6 +461,17 @@ func TestDeleteObjectCheckMarkerReturn(t *testing.T) { require.Equal(t, deleteMarkerVersion, deleteMarkerVersion2) } +func TestDeleteBucketByNotOwner(t *testing.T) { + hc := prepareHandlerContext(t) + + bktName := "bucket-name" + bktInfo := createTestBucket(hc, bktName) + deleteBucket(t, hc, bktName, http.StatusForbidden) + + hc.owner = bktInfo.Owner + deleteBucket(t, hc, bktName, http.StatusNoContent) +} + func createBucketAndObject(tc *handlerContext, bktName, objName string) (*data.BucketInfo, *data.ObjectInfo) { bktInfo := createTestBucket(tc, bktName) diff --git a/api/handler/handlers_test.go b/api/handler/handlers_test.go index dc32ff9..628bba7 100644 --- a/api/handler/handlers_test.go +++ b/api/handler/handlers_test.go @@ -462,6 +462,7 @@ func prepareTestRequestWithQuery(hc *handlerContext, bktName, objName string, qu r.URL.RawQuery = query.Encode() reqInfo := middleware.NewReqInfo(w, r, middleware.ObjectRequest{Bucket: bktName, Object: objName}, "") + reqInfo.User = hc.owner.String() r = r.WithContext(middleware.SetReqInfo(hc.Context(), reqInfo)) return w, r