mirror of
https://github.com/minio/minio.git
synced 2025-04-22 19:35:47 -04:00
Fixes browser delete issue for anon and authorized users (#9440)
This commit is contained in:
ebozduman
GitHub
parent
f7c91eff54
commit
fbd15cb7b7
@ -31,7 +31,7 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
// Similar to enforceRetentionBypassForDelete but for WebUI
|
// Similar to enforceRetentionBypassForDelete but for WebUI
|
||||||
func enforceRetentionBypassForDeleteWeb(ctx context.Context, r *http.Request, bucket, object string, getObjectInfoFn GetObjectInfoFn) APIErrorCode {
|
func enforceRetentionBypassForDeleteWeb(ctx context.Context, r *http.Request, bucket, object string, getObjectInfoFn GetObjectInfoFn, govBypassPerms bool) APIErrorCode {
|
||||||
opts, err := getOpts(ctx, r, bucket, object)
|
opts, err := getOpts(ctx, r, bucket, object)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return toAPIErrorCode(ctx, err)
|
return toAPIErrorCode(ctx, err)
|
||||||
@ -80,7 +80,7 @@ func enforceRetentionBypassForDeleteWeb(ctx context.Context, r *http.Request, bu
|
|||||||
// and must explicitly include x-amz-bypass-governance-retention:true
|
// and must explicitly include x-amz-bypass-governance-retention:true
|
||||||
// as a request header with any request that requires overriding
|
// as a request header with any request that requires overriding
|
||||||
// governance mode.
|
// governance mode.
|
||||||
byPassSet := objectlock.IsObjectLockGovernanceBypassSet(r.Header)
|
byPassSet := govBypassPerms && objectlock.IsObjectLockGovernanceBypassSet(r.Header)
|
||||||
if !byPassSet {
|
if !byPassSet {
|
||||||
t, err := objectlock.UTCNowNTP()
|
t, err := objectlock.UTCNowNTP()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -91,6 +91,11 @@ func enforceRetentionBypassForDeleteWeb(ctx context.Context, r *http.Request, bu
|
|||||||
if !ret.RetainUntilDate.Before(t) {
|
if !ret.RetainUntilDate.Before(t) {
|
||||||
return ErrObjectLocked
|
return ErrObjectLocked
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !govBypassPerms {
|
||||||
|
return ErrObjectLocked
|
||||||
|
}
|
||||||
|
|
||||||
return ErrNone
|
return ErrNone
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -667,10 +667,8 @@ next:
|
|||||||
for _, objectName := range args.Objects {
|
for _, objectName := range args.Objects {
|
||||||
// If not a directory, remove the object.
|
// If not a directory, remove the object.
|
||||||
if !HasSuffix(objectName, SlashSeparator) && objectName != "" {
|
if !HasSuffix(objectName, SlashSeparator) && objectName != "" {
|
||||||
// Check for permissions only in the case of
|
// Check permissions for non-anonymous user.
|
||||||
// non-anonymous login. For anonymous login, policy has already
|
govBypassPerms := false
|
||||||
// been checked.
|
|
||||||
govBypassPerms := ErrAccessDenied
|
|
||||||
if authErr != errNoAuthToken {
|
if authErr != errNoAuthToken {
|
||||||
if !globalIAMSys.IsAllowed(iampolicy.Args{
|
if !globalIAMSys.IsAllowed(iampolicy.Args{
|
||||||
AccountName: claims.AccessKey,
|
AccountName: claims.AccessKey,
|
||||||
@ -692,22 +690,12 @@ next:
|
|||||||
ObjectName: objectName,
|
ObjectName: objectName,
|
||||||
Claims: claims.Map(),
|
Claims: claims.Map(),
|
||||||
}) {
|
}) {
|
||||||
govBypassPerms = ErrNone
|
govBypassPerms = true
|
||||||
}
|
|
||||||
if globalIAMSys.IsAllowed(iampolicy.Args{
|
|
||||||
AccountName: claims.AccessKey,
|
|
||||||
Action: iampolicy.GetBucketObjectLockConfigurationAction,
|
|
||||||
BucketName: args.BucketName,
|
|
||||||
ConditionValues: getConditionValues(r, "", claims.AccessKey, claims.Map()),
|
|
||||||
IsOwner: owner,
|
|
||||||
ObjectName: objectName,
|
|
||||||
Claims: claims.Map(),
|
|
||||||
}) {
|
|
||||||
govBypassPerms = ErrNone
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if authErr == errNoAuthToken {
|
if authErr == errNoAuthToken {
|
||||||
// Check if object is allowed to be deleted anonymously
|
// Check if object is allowed to be deleted anonymously.
|
||||||
if !globalPolicySys.IsAllowed(policy.Args{
|
if !globalPolicySys.IsAllowed(policy.Args{
|
||||||
Action: policy.DeleteObjectAction,
|
Action: policy.DeleteObjectAction,
|
||||||
BucketName: args.BucketName,
|
BucketName: args.BucketName,
|
||||||
@ -726,31 +714,14 @@ next:
|
|||||||
IsOwner: false,
|
IsOwner: false,
|
||||||
ObjectName: objectName,
|
ObjectName: objectName,
|
||||||
}) {
|
}) {
|
||||||
govBypassPerms = ErrNone
|
govBypassPerms = true
|
||||||
}
|
|
||||||
|
|
||||||
// Check if object is allowed to be deleted anonymously
|
|
||||||
if globalPolicySys.IsAllowed(policy.Args{
|
|
||||||
Action: policy.GetBucketObjectLockConfigurationAction,
|
|
||||||
BucketName: args.BucketName,
|
|
||||||
ConditionValues: getConditionValues(r, "", "", nil),
|
|
||||||
IsOwner: false,
|
|
||||||
ObjectName: objectName,
|
|
||||||
}) {
|
|
||||||
govBypassPerms = ErrNone
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if govBypassPerms != ErrNone {
|
|
||||||
|
apiErr := enforceRetentionBypassForDeleteWeb(ctx, r, args.BucketName, objectName, getObjectInfo, govBypassPerms)
|
||||||
|
if apiErr != ErrNone && apiErr != ErrNoSuchKey {
|
||||||
return toJSONError(ctx, errAccessDenied)
|
return toJSONError(ctx, errAccessDenied)
|
||||||
}
|
}
|
||||||
|
|
||||||
apiErr := ErrNone
|
|
||||||
if _, ok := globalBucketObjectLockConfig.Get(args.BucketName); ok && (apiErr == ErrNone) {
|
|
||||||
apiErr = enforceRetentionBypassForDeleteWeb(ctx, r, args.BucketName, objectName, getObjectInfo)
|
|
||||||
if apiErr != ErrNone && apiErr != ErrNoSuchKey {
|
|
||||||
return toJSONError(ctx, errAccessDenied)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if apiErr == ErrNone {
|
if apiErr == ErrNone {
|
||||||
if err = deleteObject(ctx, objectAPI, web.CacheAPI(), args.BucketName, objectName, r); err != nil {
|
if err = deleteObject(ctx, objectAPI, web.CacheAPI(), args.BucketName, objectName, r); err != nil {
|
||||||
break next
|
break next
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user