From a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485 Mon Sep 17 00:00:00 2001 From: Anis Elleuch Date: Fri, 17 Feb 2023 03:23:34 +0100 Subject: [PATCH] fix: evaluate BypassGov policy action in deletion correctly (#16635) --- cmd/bucket-object-lock.go | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/cmd/bucket-object-lock.go b/cmd/bucket-object-lock.go index 1ffcb8cc7..cbfc557a2 100644 --- a/cmd/bucket-object-lock.go +++ b/cmd/bucket-object-lock.go @@ -156,11 +156,8 @@ func enforceRetentionBypassForDelete(ctx context.Context, r *http.Request, bucke return ErrNone } // https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html#object-lock-retention-modes - // If you try to delete objects protected by governance mode and have s3:BypassGovernanceRetention - // or s3:GetBucketObjectLockConfiguration permissions, the operation will succeed. - govBypassPerms1 := checkRequestAuthType(ctx, r, policy.BypassGovernanceRetentionAction, bucket, object.ObjectName) - govBypassPerms2 := checkRequestAuthType(ctx, r, policy.GetBucketObjectLockConfigurationAction, bucket, object.ObjectName) - if govBypassPerms1 != ErrNone && govBypassPerms2 != ErrNone { + // If you try to delete objects protected by governance mode and have s3:BypassGovernanceRetention, the operation will succeed. + if checkRequestAuthType(ctx, r, policy.BypassGovernanceRetentionAction, bucket, object.ObjectName) != ErrNone { return ErrAccessDenied } }