From 1c0d37e15a9f14c431961d82945942c2c8807003 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 28 Jan 2026 11:39:28 -0800 Subject: [PATCH] s3tables: improve error handling and permission logic - Update handleGetNamespace to distinguish between 404 and 500 errors - Refactor CanManagePolicy to use CheckPermission for consistent enforcement - Ensure empty identities are correctly handled in policy management checks --- weed/s3api/s3tables/handler_namespace.go | 6 +++++- weed/s3api/s3tables/permissions.go | 3 +-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/weed/s3api/s3tables/handler_namespace.go b/weed/s3api/s3tables/handler_namespace.go index 9634bc29d..6d54b86e0 100644 --- a/weed/s3api/s3tables/handler_namespace.go +++ b/weed/s3api/s3tables/handler_namespace.go @@ -167,7 +167,11 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ }) if err != nil { - h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, fmt.Sprintf("namespace %s not found", flattenNamespace(req.Namespace))) + if errors.Is(err, filer_pb.ErrNotFound) { + h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, fmt.Sprintf("namespace %s not found", flattenNamespace(req.Namespace))) + } else { + h.writeError(w, http.StatusInternalServerError, ErrCodeInternalError, fmt.Sprintf("failed to get namespace: %v", err)) + } return err } diff --git a/weed/s3api/s3tables/permissions.go b/weed/s3api/s3tables/permissions.go index 5d3da336e..5fc04f803 100644 --- a/weed/s3api/s3tables/permissions.go +++ b/weed/s3api/s3tables/permissions.go @@ -159,8 +159,7 @@ func CanListTables(principal, owner string) bool { // CanManagePolicy checks if principal can manage policies func CanManagePolicy(principal, owner string) bool { - // Policy management requires owner permissions - return principal == owner + return CheckPermission("ManagePolicy", principal, owner) } // CanManageTags checks if principal can manage tags