fixups on ACL permission checks for implicitDeny logic

scality · Nov 7, 2023 · 312f9d9 · 312f9d9
1 parent 5fe6d2c
commit 312f9d9
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 7 deletions.
diff --git a/constants.js b/constants.js
@@ -174,6 +174,11 @@ const constants = {
         'user',
         'bucket',
     ],
+    arrayOfAllowed: [
+        'objectPutTagging',
+        'objectPutLegalHold',
+        'objectPutRetention',
+    ],
     allowedUtapiEventFilterStates: ['allow', 'deny'],
     // The AWS assumed Role resource type
     assumedRoleArnResourceType: 'assumed-role',

diff --git a/lib/api/apiUtils/authorization/permissionChecks.js b/lib/api/apiUtils/authorization/permissionChecks.js
@@ -2,7 +2,7 @@ const { evaluators, actionMaps, RequestContext } = require('arsenal').policies;
 const constants = require('../../../../constants');
 
 const { allAuthedUsersId, bucketOwnerActions, logId, publicId,
-    assumedRoleArnResourceType, backbeatLifecycleSessionName } = constants;
+    assumedRoleArnResourceType, backbeatLifecycleSessionName, arrayOfAllowed } = constants;
 
 // whitelist buckets to allow public read on objects
 const publicReadBuckets = process.env.ALLOW_PUBLIC_READ_BUCKETS ?
@@ -15,12 +15,6 @@ function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
     if (bucket.getOwner() === canonicalID) {
         return true;
     }
-    // Backward compatibility
-    const arrayOfAllowed = [
-        'objectPutTagging',
-        'objectPutLegalHold',
-        'objectPutRetention',
-    ];
     if (mainApiCall === 'objectGet') {
         if (requestTypeParsed === 'objectGetTagging') {
             return true;