MCPcopy Index your code
hub / github.com/scality/cloudserver / checkObjectAcls

Function checkObjectAcls

lib/api/apiUtils/authorization/permissionChecks.js:161–261  ·  view source on GitHub ↗
(bucket, objectMD, requestType, canonicalID, requesterIsNotUser,
    isUserUnauthenticated, mainApiCall)

Source from the content-addressed store, hash-verified

159}
160
161function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIsNotUser,
162 isUserUnauthenticated, mainApiCall) {
163 const bucketOwner = bucket.getOwner();
164 const requestTypeParsed = actionsToConsiderAsObjectPut.includes(requestType) ?
165 'objectPut' : requestType;
166 const parsedMainApiCall = actionsToConsiderAsObjectPut.includes(mainApiCall) ?
167 'objectPut' : mainApiCall;
168 // acls don't distinguish between users and accounts, so both should be allowed
169 if (bucketOwnerActions.includes(requestTypeParsed)
170 && (bucketOwner === canonicalID)) {
171 return true;
172 }
173 if (objectMD['owner-id'] === canonicalID) {
174 return true;
175 }
176
177 // Backward compatibility
178 if (parsedMainApiCall === 'objectGet') {
179 if ((isUserUnauthenticated || (requesterIsNotUser && bucketOwner === objectMD['owner-id']))
180 && requestTypeParsed === 'objectGetTagging') {
181 return true;
182 }
183 }
184
185 if (!objectMD.acl) {
186 return false;
187 }
188
189 if (requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead') {
190 if (objectMD.acl.Canned === 'public-read'
191 || objectMD.acl.Canned === 'public-read-write'
192 || (objectMD.acl.Canned === 'authenticated-read'
193 && canonicalID !== publicId)) {
194 return true;
195 } else if (objectMD.acl.Canned === 'bucket-owner-read'
196 && bucketOwner === canonicalID) {
197 return true;
198 } else if ((objectMD.acl.Canned === 'bucket-owner-full-control'
199 && bucketOwner === canonicalID)
200 || objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
201 || objectMD.acl.READ.indexOf(canonicalID) > -1) {
202 return true;
203 } else if (objectMD.acl.READ.indexOf(publicId) > -1
204 || (objectMD.acl.READ.indexOf(allAuthedUsersId) > -1
205 && canonicalID !== publicId)
206 || (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
207 && canonicalID !== publicId)
208 || objectMD.acl.FULL_CONTROL.indexOf(publicId) > -1) {
209 return true;
210 }
211 }
212
213 // User is already authorized on the bucket for FULL_CONTROL or WRITE or
214 // bucket has canned ACL public-read-write
215 if (requestTypeParsed === 'objectPut' || requestTypeParsed === 'objectDelete') {
216 return true;
217 }
218

Callers 2

isObjAuthorizedFunction · 0.85

Calls 1

getOwnerMethod · 0.80

Tested by

no test coverage detected