From d7f77ce8748f1423371e87b0917eab5f6596c291 Mon Sep 17 00:00:00 2001 From: Alex Vanin Date: Thu, 21 Jul 2022 16:06:52 +0300 Subject: [PATCH] [#574] Produce deny records for private objects in put-object-acl Signed-off-by: Alex Vanin --- api/handler/acl.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/api/handler/acl.go b/api/handler/acl.go index 7befb2986..36a5de61d 100644 --- a/api/handler/acl.go +++ b/api/handler/acl.go @@ -1149,6 +1149,19 @@ func aclToAst(acl *AccessControlPolicy, resInfo *resourceInfo) (*ast, error) { ops = append(ops, writeOps...) } + // Expect to have at least 1 full control grant for owner which is set in + // parseACLHeaders(). If there is no other grants, then user sets private + // canned ACL, which is processed in this branch. + if len(acl.AccessControlList) < 2 { + for _, op := range ops { + operation := &astOperation{ + Op: op, + Action: eacl.ActionDeny, + } + resource.Operations = append(resource.Operations, operation) + } + } + for _, op := range ops { operation := &astOperation{ Users: []string{acl.Owner.ID},