From e38bdae07aa5421427e24fe0789903b71e52a929 Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Wed, 24 Aug 2022 18:22:18 +0300 Subject: [PATCH] [#676] Fix object acl Put object acl always add rules to specific version of object. Get object acl consider READ rights as FULL_CONTROL because WRITE cannot be applied to object Signed-off-by: Denis Kirillov --- api/handler/acl.go | 68 ++++++++++++++++++++-------------------------- 1 file changed, 30 insertions(+), 38 deletions(-) diff --git a/api/handler/acl.go b/api/handler/acl.go index 76771863..dba40357 100644 --- a/api/handler/acl.go +++ b/api/handler/acl.go @@ -327,30 +327,6 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) { return } - list := &AccessControlPolicy{} - if r.ContentLength == 0 { - list, err = parseACLHeaders(r.Header, key) - if err != nil { - h.logAndSendError(w, "could not parse bucket acl", reqInfo, err) - return - } - } else if err = xml.NewDecoder(r.Body).Decode(list); err != nil { - h.logAndSendError(w, "could not parse bucket acl", reqInfo, errors.GetAPIError(errors.ErrMalformedXML)) - return - } - - resInfo := &resourceInfo{ - Bucket: reqInfo.BucketName, - Object: reqInfo.ObjectName, - Version: versionID, - } - - astObject, err := aclToAst(list, resInfo) - if err != nil { - h.logAndSendError(w, "could not translate acl to ast", reqInfo, err) - return - } - bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName) if err != nil { h.logAndSendError(w, "could not get bucket info", reqInfo, err) @@ -369,6 +345,30 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) { return } + list := &AccessControlPolicy{} + if r.ContentLength == 0 { + list, err = parseACLHeaders(r.Header, key) + if err != nil { + h.logAndSendError(w, "could not parse bucket acl", reqInfo, err) + return + } + } else if err = xml.NewDecoder(r.Body).Decode(list); err != nil { + h.logAndSendError(w, "could not parse bucket acl", reqInfo, errors.GetAPIError(errors.ErrMalformedXML)) + return + } + + resInfo := &resourceInfo{ + Bucket: reqInfo.BucketName, + Object: reqInfo.ObjectName, + Version: objInfo.VersionID(), + } + + astObject, err := aclToAst(list, resInfo) + if err != nil { + h.logAndSendError(w, "could not translate acl to ast", reqInfo, err) + return + } + updated, err := h.updateBucketACL(r, astObject, bktInfo, token) if err != nil { h.logAndSendError(w, "could not update bucket acl", reqInfo, err) @@ -1361,25 +1361,17 @@ func (h *handler) encodeObjectACL(bucketACL *layer.BucketACL, bucketName, object for key, val := range m { permission := aclFullControl - read, write := true, true + read := true for op := eacl.OperationGet; op <= eacl.OperationRangeHash; op++ { - if !contains(val, op) { - if isWriteOperation(op) { - write = false - } else { - read = false - } + if !contains(val, op) && !isWriteOperation(op) { + read = false } } - if !read && !write { + if read { + permission = aclFullControl + } else { h.log.Warn("some acl not fully mapped") - continue - } - if !read { - permission = aclWrite - } else if !write { - permission = aclRead } var grantee *Grantee