From d8f7fed10ab4179067b2a42922fdf3027056cfda Mon Sep 17 00:00:00 2001
From: Alex Vanin <alexey@nspcc.ru>
Date: Fri, 8 Oct 2021 15:27:54 +0300
Subject: [PATCH] [#881] acl: Use session token from request at object.Put

Session token can be present in both object header and
request meta header. They are the same during initial object
placement.

At the object replication, storage node puts object without
any session tokens attached to the request. If container's eACL
denies object.Put for USER role (use bearer to upload), then
replication might fail on objects with session tokens of the
signed by container owner. It is incorrect, so use session
token directly from request meta header.

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
---
 pkg/services/object/acl/acl.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/services/object/acl/acl.go b/pkg/services/object/acl/acl.go
index a7f5fe5e0..66fbeb739 100644
--- a/pkg/services/object/acl/acl.go
+++ b/pkg/services/object/acl/acl.go
@@ -381,7 +381,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
 			return err
 		}
 
-		sTok := part.GetHeader().GetSessionToken()
+		sTok := request.GetMetaHeader().GetSessionToken()
 
 		req := metaWithToken{
 			vheader: request.GetVerificationHeader(),