From e38bdae07aa5421427e24fe0789903b71e52a929 Mon Sep 17 00:00:00 2001
From: Denis Kirillov <denis@nspcc.ru>
Date: Wed, 24 Aug 2022 18:22:18 +0300
Subject: [PATCH] [#676] Fix object acl

Put object acl always add rules to specific version of object.
Get object acl consider READ rights as FULL_CONTROL
because WRITE cannot be applied to object

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
---
 api/handler/acl.go | 68 ++++++++++++++++++++--------------------------
 1 file changed, 30 insertions(+), 38 deletions(-)

diff --git a/api/handler/acl.go b/api/handler/acl.go
index 7677186..dba4035 100644
--- a/api/handler/acl.go
+++ b/api/handler/acl.go
@@ -327,30 +327,6 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	list := &AccessControlPolicy{}
-	if r.ContentLength == 0 {
-		list, err = parseACLHeaders(r.Header, key)
-		if err != nil {
-			h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
-			return
-		}
-	} else if err = xml.NewDecoder(r.Body).Decode(list); err != nil {
-		h.logAndSendError(w, "could not parse bucket acl", reqInfo, errors.GetAPIError(errors.ErrMalformedXML))
-		return
-	}
-
-	resInfo := &resourceInfo{
-		Bucket:  reqInfo.BucketName,
-		Object:  reqInfo.ObjectName,
-		Version: versionID,
-	}
-
-	astObject, err := aclToAst(list, resInfo)
-	if err != nil {
-		h.logAndSendError(w, "could not translate acl to ast", reqInfo, err)
-		return
-	}
-
 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
 	if err != nil {
 		h.logAndSendError(w, "could not get bucket info", reqInfo, err)
@@ -369,6 +345,30 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	list := &AccessControlPolicy{}
+	if r.ContentLength == 0 {
+		list, err = parseACLHeaders(r.Header, key)
+		if err != nil {
+			h.logAndSendError(w, "could not parse bucket acl", reqInfo, err)
+			return
+		}
+	} else if err = xml.NewDecoder(r.Body).Decode(list); err != nil {
+		h.logAndSendError(w, "could not parse bucket acl", reqInfo, errors.GetAPIError(errors.ErrMalformedXML))
+		return
+	}
+
+	resInfo := &resourceInfo{
+		Bucket:  reqInfo.BucketName,
+		Object:  reqInfo.ObjectName,
+		Version: objInfo.VersionID(),
+	}
+
+	astObject, err := aclToAst(list, resInfo)
+	if err != nil {
+		h.logAndSendError(w, "could not translate acl to ast", reqInfo, err)
+		return
+	}
+
 	updated, err := h.updateBucketACL(r, astObject, bktInfo, token)
 	if err != nil {
 		h.logAndSendError(w, "could not update bucket acl", reqInfo, err)
@@ -1361,25 +1361,17 @@ func (h *handler) encodeObjectACL(bucketACL *layer.BucketACL, bucketName, object
 
 	for key, val := range m {
 		permission := aclFullControl
-		read, write := true, true
+		read := true
 		for op := eacl.OperationGet; op <= eacl.OperationRangeHash; op++ {
-			if !contains(val, op) {
-				if isWriteOperation(op) {
-					write = false
-				} else {
-					read = false
-				}
+			if !contains(val, op) && !isWriteOperation(op) {
+				read = false
 			}
 		}
 
-		if !read && !write {
+		if read {
+			permission = aclFullControl
+		} else {
 			h.log.Warn("some acl not fully mapped")
-			continue
-		}
-		if !read {
-			permission = aclWrite
-		} else if !write {
-			permission = aclRead
 		}
 
 		var grantee *Grantee