From 8b4a5f07b4e75ab77228c9ad65365bf67f148ffd Mon Sep 17 00:00:00 2001
From: Donald Guy <fawkes@mit.edu>
Date: Wed, 6 Apr 2016 19:40:54 -0400
Subject: [PATCH] accessPolicy: allow anonymous HEAD for Getable objects

* accessPolicy: allow anonymous HEAD for Getable objects

* accessPolicy: allow anonymous HEAD of Listable Buckets
---
 bucket-handlers.go | 6 ++++++
 object-handlers.go | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/bucket-handlers.go b/bucket-handlers.go
index 66967ddae..41c6a15a9 100644
--- a/bucket-handlers.go
+++ b/bucket-handlers.go
@@ -600,6 +600,12 @@ func (api objectStorageAPI) HeadBucketHandler(w http.ResponseWriter, r *http.Req
 		// For all unknown auth types return error.
 		writeErrorResponse(w, r, ErrAccessDenied, r.URL.Path)
 		return
+	case authTypeAnonymous:
+		// http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
+		if s3Error := enforceBucketPolicy("s3:ListBucket", bucket, r.URL); s3Error != ErrNone {
+			writeErrorResponse(w, r, s3Error, r.URL.Path)
+			return
+		}
 	case authTypePresigned, authTypeSigned:
 		if s3Error := isReqAuthenticated(r); s3Error != ErrNone {
 			writeErrorResponse(w, r, s3Error, r.URL.Path)
diff --git a/object-handlers.go b/object-handlers.go
index 6f127b13a..6dab42be8 100644
--- a/object-handlers.go
+++ b/object-handlers.go
@@ -253,6 +253,12 @@ func (api objectStorageAPI) HeadObjectHandler(w http.ResponseWriter, r *http.Req
 		// For all unknown auth types return error.
 		writeErrorResponse(w, r, ErrAccessDenied, r.URL.Path)
 		return
+	case authTypeAnonymous:
+		// http://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
+		if s3Error := enforceBucketPolicy("s3:GetObject", bucket, r.URL); s3Error != ErrNone {
+			writeErrorResponse(w, r, s3Error, r.URL.Path)
+			return
+		}
 	case authTypePresigned, authTypeSigned:
 		if s3Error := isReqAuthenticated(r); s3Error != ErrNone {
 			writeErrorResponse(w, r, s3Error, r.URL.Path)