From 32fade010ace55c36f1ae8a6830620f2b833fa94 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 28 Jan 2026 13:50:13 -0800 Subject: [PATCH] s3tables: refactor permission checks to use resource owner in bucket handlers --- .../handler_bucket_get_list_delete.go | 56 ++++++++++++++----- 1 file changed, 41 insertions(+), 15 deletions(-) diff --git a/weed/s3api/s3tables/handler_bucket_get_list_delete.go b/weed/s3api/s3tables/handler_bucket_get_list_delete.go index 443f043fa..7705f29f9 100644 --- a/weed/s3api/s3tables/handler_bucket_get_list_delete.go +++ b/weed/s3api/s3tables/handler_bucket_get_list_delete.go @@ -14,12 +14,6 @@ import ( // handleGetTableBucket gets details of a table bucket func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Request, filerClient FilerClient) error { // Check permission - principal := h.getPrincipalFromRequest(r) - accountID := h.getAccountID(r) - if !CanGetTableBucket(principal, accountID) { - h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details") - return NewAuthError("GetTableBucket", principal, "not authorized to get table bucket details") - } var req GetTableBucketRequest if err := h.readRequestBody(r, &req); err != nil { @@ -46,7 +40,10 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re if err != nil { return err } - return json.Unmarshal(data, &metadata) + if err := json.Unmarshal(data, &metadata); err != nil { + return fmt.Errorf("failed to unmarshal metadata: %w", err) + } + return nil }) if err != nil { @@ -58,6 +55,13 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re return err } + // Check permission + principal := h.getPrincipalFromRequest(r) + if !CanGetTableBucket(principal, metadata.OwnerID) { + h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details") + return NewAuthError("GetTableBucket", principal, "not authorized to get table bucket details") + } + resp := &GetTableBucketResponse{ ARN: h.generateTableBucketARN(r, bucketName), Name: metadata.Name, @@ -197,13 +201,6 @@ func (h *S3TablesHandler) handleListTableBuckets(w http.ResponseWriter, r *http. // handleDeleteTableBucket deletes a table bucket func (h *S3TablesHandler) handleDeleteTableBucket(w http.ResponseWriter, r *http.Request, filerClient FilerClient) error { - // Check permission - principal := h.getPrincipalFromRequest(r) - accountID := h.getAccountID(r) - if !CanDeleteTableBucket(principal, accountID) { - h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table buckets") - return NewAuthError("DeleteTableBucket", principal, "not authorized to delete table buckets") - } var req DeleteTableBucketRequest if err := h.readRequestBody(r, &req); err != nil { @@ -224,7 +221,36 @@ func (h *S3TablesHandler) handleDeleteTableBucket(w http.ResponseWriter, r *http bucketPath := getTableBucketPath(bucketName) - // Check if bucket exists and is empty + // Check if bucket exists and get metadata for permission check + var metadata tableBucketMetadata + err = filerClient.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error { + data, err := h.getExtendedAttribute(r.Context(), client, bucketPath, ExtendedKeyMetadata) + if err != nil { + return err + } + if err := json.Unmarshal(data, &metadata); err != nil { + return fmt.Errorf("failed to unmarshal metadata: %w", err) + } + return nil + }) + + if err != nil { + if errors.Is(err, filer_pb.ErrNotFound) { + h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName)) + } else { + h.writeError(w, http.StatusInternalServerError, ErrCodeInternalError, fmt.Sprintf("failed to get table bucket metadata: %v", err)) + } + return err + } + + // Check permission + principal := h.getPrincipalFromRequest(r) + if !CanDeleteTableBucket(principal, metadata.OwnerID) { + h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table bucket") + return NewAuthError("DeleteTableBucket", principal, "not authorized to delete table bucket") + } + + // Check if bucket is empty hasChildren := false err = filerClient.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error { resp, err := client.ListEntries(r.Context(), &filer_pb.ListEntriesRequest{