TrueCloudLab/frostfs-s3-gw
15
3
Fork 18
Code Issues 28 Pull requests 5 Projects Releases 17 Packages Activity Actions

[#574] Produce deny records for private objects in put-object-acl

Browse source 
Signed-off-by: Alex Vanin <alexey@nspcc.ru>
This commit is contained in:
Alex Vanin 2022-07-21 16:06:52 +03:00 committed by Alex Vanin
parent 66fe3fee7b
commit d7f77ce874
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
api/handler/acl.go
View file

@ -1149,6 +1149,19 @@ func aclToAst(acl *AccessControlPolicy, resInfo *resourceInfo) (*ast, error) {
ops = append(ops, writeOps...) ops = append(ops, writeOps...)
} }
// Expect to have at least 1 full control grant for owner which is set in
// parseACLHeaders(). If there is no other grants, then user sets private
// canned ACL, which is processed in this branch.
if len(acl.AccessControlList) < 2 {
for _, op := range ops {
operation := &astOperation{
Op: op,
Action: eacl.ActionDeny,
}
resource.Operations = append(resource.Operations, operation)
}
}
for _, op := range ops { for _, op := range ops {
operation := &astOperation{ operation := &astOperation{
Users: []string{acl.Owner.ID}, Users: []string{acl.Owner.ID},