From ee3d779a5d4c16c871b9d84d695970b0fe7234dc Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 28 Jan 2026 16:21:38 -0800 Subject: [PATCH] s3tables: Separate permission checks for tagging and untagging - Add CanTagResource() to check TagResource permission - Add CanUntagResource() to check UntagResource permission - Update CanManageTags() to check both operations (OR logic) This prevents UntagResource from incorrectly checking 'ManageTags' permission and ensures each operation validates the correct permission when per-operation permissions are enforced. --- weed/s3api/s3tables/permissions.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/weed/s3api/s3tables/permissions.go b/weed/s3api/s3tables/permissions.go index b89837850..a85591c46 100644 --- a/weed/s3api/s3tables/permissions.go +++ b/weed/s3api/s3tables/permissions.go @@ -237,9 +237,19 @@ func CanDeleteTablePolicy(principal, owner, resourcePolicy string) bool { return CheckPermission("DeleteTablePolicy", principal, owner, resourcePolicy) } -// CanManageTags checks if principal can manage tags +// CanTagResource checks if principal can tag a resource +func CanTagResource(principal, owner, resourcePolicy string) bool { + return CheckPermission("TagResource", principal, owner, resourcePolicy) +} + +// CanUntagResource checks if principal can untag a resource +func CanUntagResource(principal, owner, resourcePolicy string) bool { + return CheckPermission("UntagResource", principal, owner, resourcePolicy) +} + +// CanManageTags checks if principal can manage tags (tag or untag) func CanManageTags(principal, owner, resourcePolicy string) bool { - return CheckPermission("ManageTags", principal, owner, resourcePolicy) + return CanTagResource(principal, owner, resourcePolicy) || CanUntagResource(principal, owner, resourcePolicy) } // AuthError represents an authorization error