From 76d9d5460322c0aafeb42630618a773ae2d15c7d Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Mon, 10 Dec 2018 09:27:22 -0800 Subject: [PATCH] Filter listing buckets based on user level access (#6940) Fixes #6701 --- cmd/web-handlers.go | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/cmd/web-handlers.go b/cmd/web-handlers.go index 077d7dbd1..a11664478 100644 --- a/cmd/web-handlers.go +++ b/cmd/web-handlers.go @@ -258,7 +258,8 @@ func (web *webAPIHandlers) ListBuckets(r *http.Request, args *WebGenericArgs, re listBuckets = web.CacheAPI().ListBuckets } - if _, _, authErr := webRequestAuthenticate(r); authErr != nil { + claims, owner, authErr := webRequestAuthenticate(r) + if authErr != nil { return toJSONError(authErr) } @@ -270,10 +271,19 @@ func (web *webAPIHandlers) ListBuckets(r *http.Request, args *WebGenericArgs, re } for _, dnsRecord := range dnsBuckets { bucketName := strings.Trim(dnsRecord.Key, "/") - reply.Buckets = append(reply.Buckets, WebBucketInfo{ - Name: bucketName, - CreationDate: dnsRecord.CreationDate, - }) + if globalIAMSys.IsAllowed(iampolicy.Args{ + AccountName: claims.Subject, + Action: iampolicy.Action(policy.GetObjectAction), + BucketName: bucketName, + ConditionValues: getConditionValues(r, ""), + IsOwner: owner, + ObjectName: "", + }) { + reply.Buckets = append(reply.Buckets, WebBucketInfo{ + Name: bucketName, + CreationDate: dnsRecord.CreationDate, + }) + } } } else { buckets, err := listBuckets(context.Background()) @@ -281,10 +291,19 @@ func (web *webAPIHandlers) ListBuckets(r *http.Request, args *WebGenericArgs, re return toJSONError(err) } for _, bucket := range buckets { - reply.Buckets = append(reply.Buckets, WebBucketInfo{ - Name: bucket.Name, - CreationDate: bucket.Created, - }) + if globalIAMSys.IsAllowed(iampolicy.Args{ + AccountName: claims.Subject, + Action: iampolicy.Action(policy.GetObjectAction), + BucketName: bucket.Name, + ConditionValues: getConditionValues(r, ""), + IsOwner: owner, + ObjectName: "", + }) { + reply.Buckets = append(reply.Buckets, WebBucketInfo{ + Name: bucket.Name, + CreationDate: bucket.Created, + }) + } } }