From b20ad2fc9d6e39fce0f655fc7659943bb96fa911 Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Wed, 12 Nov 2025 21:35:37 -0800
Subject: [PATCH] security fixes

---
 BUCKET_POLICY_ENGINE_INTEGRATION.md | 6 +++---
 weed/s3api/auth_credentials.go      | 2 +-
 weed/s3api/s3api_bucket_handlers.go | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/BUCKET_POLICY_ENGINE_INTEGRATION.md b/BUCKET_POLICY_ENGINE_INTEGRATION.md
index 5dc538dc2..c2b197094 100644
--- a/BUCKET_POLICY_ENGINE_INTEGRATION.md
+++ b/BUCKET_POLICY_ENGINE_INTEGRATION.md
@@ -53,9 +53,9 @@ Created a wrapper around `policy_engine.PolicyEngine` to:
 3. Build principal ARN (e.g., "arn:aws:iam::123456:user/bob")
 4. Check bucket policy:
    - If DENY → reject immediately
-   - If ALLOW → continue to step 5
-   - If no policy → continue to step 5
-5. Check IAM/identity-based permissions
+   - If ALLOW → grant access immediately (bypasses IAM checks)
+   - If no policy or no matching statements → continue to step 5
+5. Check IAM/identity-based permissions (only if not already allowed by bucket policy)
 6. Allow or deny based on identity permissions
 ```
 
diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index 9850122c5..39eac5013 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -519,7 +519,7 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
 				// SECURITY: Fail-close on policy evaluation errors
 				// If we can't evaluate the policy, deny access rather than falling through to IAM
 				glog.Errorf("Error evaluating bucket policy for %s/%s: %v - denying access", bucket, object, err)
-				return identity, s3err.ErrInternalError
+				return identity, s3err.ErrAccessDenied
 			} else if evaluated {
 				// A bucket policy exists and was evaluated with a matching statement
 				if allowed {
diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index 28b227ce2..6ccf82e27 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -615,7 +615,7 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti
 				// SECURITY: Fail-close on policy evaluation errors
 				// If we can't evaluate the policy, deny access rather than falling through to IAM
 				glog.Errorf("AuthWithPublicRead: error evaluating bucket policy for %s/%s: %v - denying access", bucket, object, err)
-				s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
+				s3err.WriteErrorResponse(w, r, s3err.ErrAccessDenied)
 				return
 			} else if evaluated {
 				// A bucket policy exists and was evaluated with a matching statement