fix security vulnerability

weed/s3api/s3api_bucket_handlers.go

@@ -122,8 +122,13 @@ func isBucketVisibleToIdentity(entry *filer_pb.Entry, identity *Identity) bool {
 		return false
 	}
 
-	// Unauthenticated or admin users bypass ownership check
-	if identity == nil || identity.isAdmin() {
+	// Unauthenticated users should not see any buckets (standard S3 behavior)
+	if identity == nil {
+		return false
+	}
+
+	// Admin users bypass ownership check
+	if identity.isAdmin() {
 		return true
 	}
 

weed/s3api/s3api_bucket_handlers_test.go

@@ -298,15 +298,15 @@ func TestListBucketsOwnershipFiltering(t *testing.T) {
 			description:         "Buckets without owner should be hidden from non-admin users",
 		},
 		{
-			name: "empty identityId skips ownership check",
+			name: "unauthenticated user sees no buckets",
 			buckets: []testBucket{
 				{name: "owned-bucket", ownerId: "user1"},
 				{name: "unowned-bucket", ownerId: ""},
 			},
 			requestIdentityId:   "",
 			requestIsAdmin:      false,
-			expectedBucketNames: []string{"owned-bucket", "unowned-bucket"},
-			description:         "When identityId is empty, ownership check is skipped, all buckets visible",
+			expectedBucketNames: []string{},
+			description:         "Unauthenticated requests should not see any buckets",
 		},
 		{
 			name: "admin sees buckets regardless of ownership",