From 75a1a95c2caefb12c91ce08a0b1ea5d5d992af6b Mon Sep 17 00:00:00 2001 From: Airat Arifullin Date: Thu, 15 Feb 2024 13:59:52 +0300 Subject: [PATCH] [#986] tree: Skip ACL checks if basicACL mask is unset Signed-off-by: Airat Arifullin --- pkg/services/tree/signature.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/services/tree/signature.go b/pkg/services/tree/signature.go index 15067d3cd..985e1ad94 100644 --- a/pkg/services/tree/signature.go +++ b/pkg/services/tree/signature.go @@ -77,6 +77,11 @@ func (s *Service) verifyClient(req message, cid cidSDK.ID, rawBearer []byte, op } basicACL := cnr.Value.BasicACL() + // Basic ACL mask can be unset, if a container operations are performed + // with strict APE checks only. + if basicACL == 0x0 { + return nil + } if !basicACL.IsOpAllowed(op, role) { return basicACLErr(op)