browser: Allow anonymous browsing of readable buckets. (#3515)

2025-11-20 09:56:07 -05:00 · 2017-01-12 02:56:42 +05:30
parent 7c6d77734a
commit 12a7a15daa
4 changed files with 216 additions and 65 deletions
--- a/cmd/web-handlers.go
+++ b/cmd/web-handlers.go
@@ -151,21 +151,23 @@ func (web *webAPIHandlers) ListBuckets(r *http.Request, args *WebGenericArgs, re
 	if objectAPI == nil {
 		return toJSONError(errServerNotInitialized)
 	}
-	if !isHTTPRequestValid(r) {
-		return toJSONError(errAuthentication)
+	authErr := webReqestAuthenticate(r)
+	if authErr != nil {
+		return toJSONError(authErr)
 	}
 	buckets, err := objectAPI.ListBuckets()
 	if err != nil {
 		return toJSONError(err)
 	}
 	for _, bucket := range buckets {
-		// List all buckets which are not private.
-		if bucket.Name != path.Base(reservedBucket) {
-			reply.Buckets = append(reply.Buckets, WebBucketInfo{
-				Name:         bucket.Name,
-				CreationDate: bucket.Created,
-			})
+		if bucket.Name == path.Base(reservedBucket) {
+			continue
 		}
+
+		reply.Buckets = append(reply.Buckets, WebBucketInfo{
+			Name:         bucket.Name,
+			CreationDate: bucket.Created,
+		})
 	}
 	reply.UIVersion = miniobrowser.UIVersion
 	return nil
@@ -180,6 +182,7 @@ type ListObjectsArgs struct {
 // ListObjectsRep - list objects response.
 type ListObjectsRep struct {
 	Objects   []WebObjectInfo `json:"objects"`
+	Writable  bool            `json:"writable"` // Used by client to show "upload file" button.
 	UIVersion string          `json:"uiVersion"`
 }

@@ -197,12 +200,30 @@ type WebObjectInfo struct {

 // ListObjects - list objects api.
 func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, reply *ListObjectsRep) error {
+	reply.UIVersion = miniobrowser.UIVersion
 	objectAPI := web.ObjectAPI()
 	if objectAPI == nil {
 		return toJSONError(errServerNotInitialized)
 	}
-	if !isHTTPRequestValid(r) {
-		return toJSONError(errAuthentication)
+	prefix := args.Prefix + "test" // To test if GetObject/PutObject with the specified prefix is allowed.
+	readable := isBucketActionAllowed("s3:GetObject", args.BucketName, prefix)
+	writable := isBucketActionAllowed("s3:PutObject", args.BucketName, prefix)
+	authErr := webReqestAuthenticate(r)
+	switch {
+	case authErr == errAuthentication:
+		return toJSONError(authErr)
+	case authErr == nil:
+		break
+	case readable && writable:
+		reply.Writable = true
+		break
+	case readable:
+		break
+	case writable:
+		reply.Writable = true
+		return nil
+	default:
+		return errAuthentication
 	}
 	marker := ""
 	for {
@@ -228,7 +249,6 @@ func (web *webAPIHandlers) ListObjects(r *http.Request, args *ListObjectsArgs, r
 			break
 		}
 	}
-	reply.UIVersion = miniobrowser.UIVersion
 	return nil
 }

@@ -420,14 +440,20 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if !isHTTPRequestValid(r) {
-		writeWebErrorResponse(w, errAuthentication)
-		return
-	}
 	vars := mux.Vars(r)
 	bucket := vars["bucket"]
 	object := vars["object"]

+	authErr := webReqestAuthenticate(r)
+	if authErr == errAuthentication {
+		writeWebErrorResponse(w, errAuthentication)
+		return
+	}
+	if authErr != nil && !isBucketActionAllowed("s3:PutObject", bucket, object) {
+		writeWebErrorResponse(w, errAuthentication)
+		return
+	}
+
 	// Extract incoming metadata if any.
 	metadata := extractMetadataFromHeader(r.Header)

@@ -467,7 +493,7 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
 	object := vars["object"]
 	token := r.URL.Query().Get("token")

-	if !isAuthTokenValid(token) {
+	if !isAuthTokenValid(token) && !isBucketActionAllowed("s3:GetObject", bucket, object) {
 		writeWebErrorResponse(w, errAuthentication)
 		return
 	}