From 5ab9cc029d1de8105388e02538ac78e1891de2d9 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Mon, 9 Mar 2020 21:21:35 -0700 Subject: [PATCH] fix: crash observed for anonymous deletes from UI (#9107) --- cmd/web-handlers.go | 44 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 10 deletions(-) diff --git a/cmd/web-handlers.go b/cmd/web-handlers.go index 8c76ceb45..9322357c7 100644 --- a/cmd/web-handlers.go +++ b/cmd/web-handlers.go @@ -690,6 +690,17 @@ next: } } if authErr == errNoAuthToken { + // Check if object is allowed to be deleted anonymously + if !globalPolicySys.IsAllowed(policy.Args{ + Action: policy.DeleteObjectAction, + BucketName: args.BucketName, + ConditionValues: getConditionValues(r, "", "", nil), + IsOwner: false, + ObjectName: objectName, + }) { + return toJSONError(ctx, errAccessDenied) + } + // Check if object is allowed to be deleted anonymously if globalPolicySys.IsAllowed(policy.Args{ Action: policy.BypassGovernanceRetentionAction, @@ -710,16 +721,29 @@ next: continue } - if !globalIAMSys.IsAllowed(iampolicy.Args{ - AccountName: claims.AccessKey, - Action: iampolicy.DeleteObjectAction, - BucketName: args.BucketName, - ConditionValues: getConditionValues(r, "", claims.AccessKey, claims.Map()), - IsOwner: owner, - ObjectName: objectName, - Claims: claims.Map(), - }) { - return toJSONError(ctx, errAccessDenied) + if authErr == errNoAuthToken { + // Check if object is allowed to be deleted anonymously + if !globalPolicySys.IsAllowed(policy.Args{ + Action: iampolicy.DeleteObjectAction, + BucketName: args.BucketName, + ConditionValues: getConditionValues(r, "", "", nil), + IsOwner: false, + ObjectName: objectName, + }) { + return toJSONError(ctx, errAccessDenied) + } + } else { + if !globalIAMSys.IsAllowed(iampolicy.Args{ + AccountName: claims.AccessKey, + Action: iampolicy.DeleteObjectAction, + BucketName: args.BucketName, + ConditionValues: getConditionValues(r, "", claims.AccessKey, claims.Map()), + IsOwner: owner, + ObjectName: objectName, + Claims: claims.Map(), + }) { + return toJSONError(ctx, errAccessDenied) + } } // For directories, list the contents recursively and remove.