From 5f32b3c9824936cf4fc988449a8d7200d4b63dde Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Mon, 25 Aug 2025 09:34:26 -0700
Subject: [PATCH] Modified ListBucketsHandler to use IAM authorization
 (authorizeWithIAM) for JWT users instead of legacy identity.canDo()

---
 weed/s3api/s3api_bucket_handlers.go | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index 25a9d0209..81d12be43 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -60,8 +60,22 @@ func (s3a *S3ApiServer) ListBucketsHandler(w http.ResponseWriter, r *http.Reques
 	var listBuckets ListAllMyBucketsList
 	for _, entry := range entries {
 		if entry.IsDirectory {
-			if identity != nil && !identity.canDo(s3_constants.ACTION_LIST, entry.Name, "") {
-				continue
+			// Check permissions for each bucket
+			if identity != nil {
+				// For JWT-authenticated users, use IAM authorization
+				sessionToken := r.Header.Get("X-SeaweedFS-Session-Token")
+				if s3a.iam.iamIntegration != nil && sessionToken != "" {
+					// Use IAM authorization for JWT users
+					errCode := s3a.iam.authorizeWithIAM(r, identity, s3_constants.ACTION_LIST, entry.Name, "")
+					if errCode != s3err.ErrNone {
+						continue
+					}
+				} else {
+					// Use legacy authorization for non-JWT users
+					if !identity.canDo(s3_constants.ACTION_LIST, entry.Name, "") {
+						continue
+					}
+				}
 			}
 			listBuckets.Bucket = append(listBuckets.Bucket, ListAllMyBucketsEntry{
 				Name:         entry.Name,