From 41e799b4e027bb72be7677888c49037c441ab851 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 28 Jan 2026 16:23:01 -0800 Subject: [PATCH] s3tables: Consolidate getPrincipalFromRequest and getAccountID into single method Both methods had identical implementations - they return the account ID from request header or fall back to handler's default. Remove the duplicate getPrincipalFromRequest and use getAccountID throughout, with updated comment explaining its dual role as both caller identity and principal for permission checks. --- weed/s3api/s3tables/handler.go | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/weed/s3api/s3tables/handler.go b/weed/s3api/s3tables/handler.go index 088351d3b..982b78b28 100644 --- a/weed/s3api/s3tables/handler.go +++ b/weed/s3api/s3tables/handler.go @@ -157,19 +157,9 @@ func (h *S3TablesHandler) HandleRequest(w http.ResponseWriter, r *http.Request, // Principal/authorization helpers -func (h *S3TablesHandler) getPrincipalFromRequest(r *http.Request) string { - // Prefer the authenticated account ID from the request header. This is the same - // identifier used as the "owner" in permission checks, so keeping them aligned - // avoids mismatches (e.g. username vs. account ID) when IAM is enabled. - if accountID := r.Header.Get(s3_constants.AmzAccountId); accountID != "" { - return accountID - } - - // Default to handler's configured account ID - return h.accountID -} - -// getAccountID returns the authenticated account ID from the request or the handler's default +// getAccountID returns the authenticated account ID from the request or the handler's default. +// This is also used as the principal for permission checks, ensuring alignment between +// the caller identity and ownership verification when IAM is enabled. func (h *S3TablesHandler) getAccountID(r *http.Request) string { if accountID := r.Header.Get(s3_constants.AmzAccountId); accountID != "" { return accountID