From 7c82e1a3d1c621908259fc22a5b01d45a3e7bd34 Mon Sep 17 00:00:00 2001 From: chrislu Date: Thu, 20 Nov 2025 22:27:46 -0800 Subject: [PATCH] Update s3api_bucket_handlers.go --- weed/s3api/s3api_bucket_handlers.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index 57d497dc6..4222c911e 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -132,6 +132,12 @@ func isBucketVisibleToIdentity(entry *filer_pb.Entry, identity *Identity) bool { return true } + // Non-admin users with no name cannot own or see buckets. + // This prevents misconfigured identities from matching buckets with empty owner IDs. + if identity.Name == "" { + return false + } + // Non-admin users: check ownership // Use the authenticated identity value directly (cannot be spoofed) id, ok := entry.Extended[s3_constants.AmzIdentityId]