(bucket, objectMD, requestType, canonicalID, requesterIsNotUser,
isUserUnauthenticated, mainApiCall)
| 159 | } |
| 160 | |
| 161 | function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIsNotUser, |
| 162 | isUserUnauthenticated, mainApiCall) { |
| 163 | const bucketOwner = bucket.getOwner(); |
| 164 | const requestTypeParsed = actionsToConsiderAsObjectPut.includes(requestType) ? |
| 165 | 'objectPut' : requestType; |
| 166 | const parsedMainApiCall = actionsToConsiderAsObjectPut.includes(mainApiCall) ? |
| 167 | 'objectPut' : mainApiCall; |
| 168 | // acls don't distinguish between users and accounts, so both should be allowed |
| 169 | if (bucketOwnerActions.includes(requestTypeParsed) |
| 170 | && (bucketOwner === canonicalID)) { |
| 171 | return true; |
| 172 | } |
| 173 | if (objectMD['owner-id'] === canonicalID) { |
| 174 | return true; |
| 175 | } |
| 176 | |
| 177 | // Backward compatibility |
| 178 | if (parsedMainApiCall === 'objectGet') { |
| 179 | if ((isUserUnauthenticated || (requesterIsNotUser && bucketOwner === objectMD['owner-id'])) |
| 180 | && requestTypeParsed === 'objectGetTagging') { |
| 181 | return true; |
| 182 | } |
| 183 | } |
| 184 | |
| 185 | if (!objectMD.acl) { |
| 186 | return false; |
| 187 | } |
| 188 | |
| 189 | if (requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead') { |
| 190 | if (objectMD.acl.Canned === 'public-read' |
| 191 | || objectMD.acl.Canned === 'public-read-write' |
| 192 | || (objectMD.acl.Canned === 'authenticated-read' |
| 193 | && canonicalID !== publicId)) { |
| 194 | return true; |
| 195 | } else if (objectMD.acl.Canned === 'bucket-owner-read' |
| 196 | && bucketOwner === canonicalID) { |
| 197 | return true; |
| 198 | } else if ((objectMD.acl.Canned === 'bucket-owner-full-control' |
| 199 | && bucketOwner === canonicalID) |
| 200 | || objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1 |
| 201 | || objectMD.acl.READ.indexOf(canonicalID) > -1) { |
| 202 | return true; |
| 203 | } else if (objectMD.acl.READ.indexOf(publicId) > -1 |
| 204 | || (objectMD.acl.READ.indexOf(allAuthedUsersId) > -1 |
| 205 | && canonicalID !== publicId) |
| 206 | || (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1 |
| 207 | && canonicalID !== publicId) |
| 208 | || objectMD.acl.FULL_CONTROL.indexOf(publicId) > -1) { |
| 209 | return true; |
| 210 | } |
| 211 | } |
| 212 | |
| 213 | // User is already authorized on the bucket for FULL_CONTROL or WRITE or |
| 214 | // bucket has canned ACL public-read-write |
| 215 | if (requestTypeParsed === 'objectPut' || requestTypeParsed === 'objectDelete') { |
| 216 | return true; |
| 217 | } |
| 218 |
no test coverage detected