oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fixes browser delete issue for anon and authorized users (#9440)

Browse Source
master
ebozduman 4 years ago committed by GitHub
parent f7c91eff54
commit fbd15cb7b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 40 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 9
      cmd/object-lock.go
  2. 43
      cmd/web-handlers.go

9
cmd/object-lock.go
Unescape View File

@ -31,7 +31,7 @@ import (
) )
// Similar to enforceRetentionBypassForDelete but for WebUI // Similar to enforceRetentionBypassForDelete but for WebUI
func enforceRetentionBypassForDeleteWeb(ctx context.Context, r *http.Request, bucket, object string, getObjectInfoFn GetObjectInfoFn) APIErrorCode { func enforceRetentionBypassForDeleteWeb(ctx context.Context, r *http.Request, bucket, object string, getObjectInfoFn GetObjectInfoFn, govBypassPerms bool) APIErrorCode {
opts, err := getOpts(ctx, r, bucket, object) opts, err := getOpts(ctx, r, bucket, object)
if err != nil { if err != nil {
return toAPIErrorCode(ctx, err) return toAPIErrorCode(ctx, err)
@ -80,7 +80,7 @@ func enforceRetentionBypassForDeleteWeb(ctx context.Context, r *http.Request, bu
// and must explicitly include x-amz-bypass-governance-retention:true // and must explicitly include x-amz-bypass-governance-retention:true
// as a request header with any request that requires overriding // as a request header with any request that requires overriding
// governance mode. // governance mode.
byPassSet := objectlock.IsObjectLockGovernanceBypassSet(r.Header) byPassSet := govBypassPerms && objectlock.IsObjectLockGovernanceBypassSet(r.Header)
if !byPassSet { if !byPassSet {
t, err := objectlock.UTCNowNTP() t, err := objectlock.UTCNowNTP()
if err != nil { if err != nil {
@ -91,6 +91,11 @@ func enforceRetentionBypassForDeleteWeb(ctx context.Context, r *http.Request, bu
if !ret.RetainUntilDate.Before(t) { if !ret.RetainUntilDate.Before(t) {
return ErrObjectLocked return ErrObjectLocked
} }
if !govBypassPerms {
return ErrObjectLocked
}
return ErrNone return ErrNone
} }
} }

43
cmd/web-handlers.go
Unescape View File

@ -667,10 +667,8 @@ next:
for _, objectName := range args.Objects { for _, objectName := range args.Objects {
// If not a directory, remove the object. // If not a directory, remove the object.
if !HasSuffix(objectName, SlashSeparator) && objectName != "" { if !HasSuffix(objectName, SlashSeparator) && objectName != "" {
// Check for permissions only in the case of // Check permissions for non-anonymous user.
// non-anonymous login. For anonymous login, policy has already govBypassPerms := false
// been checked.
govBypassPerms := ErrAccessDenied
if authErr != errNoAuthToken { if authErr != errNoAuthToken {
if !globalIAMSys.IsAllowed(iampolicy.Args{ if !globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: claims.AccessKey, AccountName: claims.AccessKey,
@ -692,22 +690,12 @@ next:
ObjectName: objectName, ObjectName: objectName,
Claims: claims.Map(), Claims: claims.Map(),
}) { }) {
govBypassPerms = ErrNone govBypassPerms = true
}
if globalIAMSys.IsAllowed(iampolicy.Args{
AccountName: claims.AccessKey,
Action: iampolicy.GetBucketObjectLockConfigurationAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", claims.AccessKey, claims.Map()),
IsOwner: owner,
ObjectName: objectName,
Claims: claims.Map(),
}) {
govBypassPerms = ErrNone
} }
} }
if authErr == errNoAuthToken { if authErr == errNoAuthToken {
// Check if object is allowed to be deleted anonymously // Check if object is allowed to be deleted anonymously.
if !globalPolicySys.IsAllowed(policy.Args{ if !globalPolicySys.IsAllowed(policy.Args{
Action: policy.DeleteObjectAction, Action: policy.DeleteObjectAction,
BucketName: args.BucketName, BucketName: args.BucketName,
@ -726,31 +714,14 @@ next:
IsOwner: false, IsOwner: false,
ObjectName: objectName, ObjectName: objectName,
}) { }) {
govBypassPerms = ErrNone govBypassPerms = true
}
// Check if object is allowed to be deleted anonymously
if globalPolicySys.IsAllowed(policy.Args{
Action: policy.GetBucketObjectLockConfigurationAction,
BucketName: args.BucketName,
ConditionValues: getConditionValues(r, "", "", nil),
IsOwner: false,
ObjectName: objectName,
}) {
govBypassPerms = ErrNone
} }
} }
if govBypassPerms != ErrNone {
return toJSONError(ctx, errAccessDenied)
}
apiErr := ErrNone apiErr := enforceRetentionBypassForDeleteWeb(ctx, r, args.BucketName, objectName, getObjectInfo, govBypassPerms)
if _, ok := globalBucketObjectLockConfig.Get(args.BucketName); ok && (apiErr == ErrNone) {
apiErr = enforceRetentionBypassForDeleteWeb(ctx, r, args.BucketName, objectName, getObjectInfo)
if apiErr != ErrNone && apiErr != ErrNoSuchKey { if apiErr != ErrNone && apiErr != ErrNoSuchKey {
return toJSONError(ctx, errAccessDenied) return toJSONError(ctx, errAccessDenied)
} }
}
if apiErr == ErrNone { if apiErr == ErrNone {
if err = deleteObject(ctx, objectAPI, web.CacheAPI(), args.BucketName, objectName, r); err != nil { if err = deleteObject(ctx, objectAPI, web.CacheAPI(), args.BucketName, objectName, r); err != nil {
break next break next

Write Preview
Loading…
Cancel
Save