From 437dd4e32a5262ab48579ffcbcdc296ac76c46c0 Mon Sep 17 00:00:00 2001 From: Ramon de Klein Date: Wed, 12 Feb 2025 17:08:13 +0100 Subject: [PATCH] Fix missing authorization check for `PutObjectRetentionHandler` (#20929) --- cmd/object-handlers.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go index 3c563b8cc..9bd929cfc 100644 --- a/cmd/object-handlers.go +++ b/cmd/object-handlers.go @@ -2884,6 +2884,12 @@ func (api objectAPIHandlers) PutObjectRetentionHandler(w http.ResponseWriter, r return } + // Check permissions to perform this object retention operation + if s3Err := checkRequestAuthType(ctx, r, policy.PutObjectRetentionAction, bucket, object); s3Err != ErrNone { + writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL) + return + } + cred, owner, s3Err := validateSignature(getRequestAuthType(r), r) if s3Err != ErrNone { writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)