From 12c1190a5cd36f467d834f030262016ad40cf398 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Wed, 28 Jan 2026 13:25:27 -0800
Subject: [PATCH] s3tables: update namespace handlers for multi-account support

Updated namespace creation to use authenticated account ID for ownership
and unified permission checks across all namespace operations to use the
correct account principal.
---
 weed/s3api/s3tables/handler_namespace.go | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/weed/s3api/s3tables/handler_namespace.go b/weed/s3api/s3tables/handler_namespace.go
index e73be2806..bcb9d38a8 100644
--- a/weed/s3api/s3tables/handler_namespace.go
+++ b/weed/s3api/s3tables/handler_namespace.go
@@ -22,7 +22,8 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
 
 	// Check permission
 	principal := h.getPrincipalFromRequest(r)
-	if !CanCreateNamespace(principal, h.accountID) {
+	accountID := h.getAccountID(r)
+	if !CanCreateNamespace(principal, accountID) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace")
 		return NewAuthError("CreateNamespace", principal, "not authorized to create namespace")
 	}
@@ -86,7 +87,7 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
 	metadata := &namespaceMetadata{
 		Namespace: req.Namespace,
 		CreatedAt: now,
-		OwnerID:   h.accountID,
+		OwnerID:   h.getAccountID(r),
 	}
 
 	metadataBytes, err := json.Marshal(metadata)
@@ -133,7 +134,8 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ
 
 	// Check permission
 	principal := h.getPrincipalFromRequest(r)
-	if !CanGetNamespace(principal, h.accountID) {
+	accountID := h.getAccountID(r)
+	if !CanGetNamespace(principal, accountID) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get namespace details")
 		return NewAuthError("GetNamespace", principal, "not authorized to get namespace details")
 	}
@@ -196,7 +198,8 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re
 
 	// Check permission
 	principal := h.getPrincipalFromRequest(r)
-	if !CanListNamespaces(principal, h.accountID) {
+	accountID := h.getAccountID(r)
+	if !CanListNamespaces(principal, accountID) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to list namespaces")
 		return NewAuthError("ListNamespaces", principal, "not authorized to list namespaces")
 	}
@@ -330,7 +333,8 @@ func (h *S3TablesHandler) handleDeleteNamespace(w http.ResponseWriter, r *http.R
 
 	// Check permission
 	principal := h.getPrincipalFromRequest(r)
-	if !CanDeleteNamespace(principal, h.accountID) {
+	accountID := h.getAccountID(r)
+	if !CanDeleteNamespace(principal, accountID) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete namespace")
 		return NewAuthError("DeleteNamespace", principal, "not authorized to delete namespace")
 	}