fix: Disable presigned without appropriate policy (#9621)

Fixes #9590
master
Harshavardhana 5 years ago committed by GitHub
parent a62572fb86
commit de9b391db3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 1
      cmd/jwt.go
  2. 14
      cmd/web-handlers.go

@ -47,6 +47,7 @@ var (
errAuthentication = errors.New("Authentication failed, check your access credentials")
errNoAuthToken = errors.New("JWT token missing")
errIncorrectCreds = errors.New("Current access key or secret key is incorrect")
errPresignedNotAllowed = errors.New("Unable to generate shareable URL due to lack of read permissions")
)
func authenticateJWTUsers(accessKey, secretKey string, expiry time.Duration) (string, error) {

@ -1966,6 +1966,20 @@ func (web *webAPIHandlers) PresignedGet(r *http.Request, args *PresignedGetArgs,
return toJSONError(ctx, errInvalidBucketName)
}
// Check if the user indeed has GetObject access,
// if not we do not need to generate presigned URLs
if !globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: claims.AccessKey,
Action: iampolicy.GetObjectAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", claims.AccessKey, claims.Map()),
IsOwner: owner,
ObjectName: args.ObjectName,
Claims: claims.Map(),
}) {
return toJSONError(ctx, errPresignedNotAllowed)
}
reply.UIVersion = browser.UIVersion
reply.URL = presignedGet(args.HostName, args.BucketName, args.ObjectName, args.Expiry, creds, region)
return nil

Loading…
Cancel
Save