From 828599fa2d25d2972ce82c358e2785086d0b3536 Mon Sep 17 00:00:00 2001
From: Maha Benzekri <maha.benzekri@scality.com>
Date: Mon, 15 Jul 2024 10:00:23 +0200
Subject: [PATCH] processBucketPolicy fixup for objectDelete

Introduced by https://github.com/scality/cloudserver/pull/5580
we now do send a requestContext with no specific resource instead
of "null", which results in a policy evaluation error.
As we get an implicit deny for the requestType "objectDelete",
cause the processed result to be false , thus sending an empty
array of objects to vault , resulting in a deny even when the policy
allows the action on specific objects.

Linked Issue : https://scality.atlassian.net/browse/CLDSRV-555
---
 lib/api/apiUtils/authorization/permissionChecks.js | 2 +-
 lib/api/multiObjectDelete.js                       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/api/apiUtils/authorization/permissionChecks.js b/lib/api/apiUtils/authorization/permissionChecks.js
index d46cf05949..2e6c2e6f41 100644
--- a/lib/api/apiUtils/authorization/permissionChecks.js
+++ b/lib/api/apiUtils/authorization/permissionChecks.js
@@ -356,7 +356,7 @@ function processBucketPolicy(requestType, bucket, canonicalID, arn, bucketOwner,
     const bucketPolicy = bucket.getBucketPolicy();
     let processedResult = results[requestType];
     if (!bucketPolicy) {
-        processedResult = actionImplicitDenies[requestType] === false && aclPermission;
+            processedResult = actionImplicitDenies[requestType] === false && aclPermission;
     } else {
         const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType, canonicalID, arn,
             bucketOwner, log, request, actionImplicitDenies);
diff --git a/lib/api/multiObjectDelete.js b/lib/api/multiObjectDelete.js
index 855b739aff..44749a415b 100644
--- a/lib/api/multiObjectDelete.js
+++ b/lib/api/multiObjectDelete.js
@@ -509,7 +509,7 @@ function multiObjectDelete(authInfo, request, log, callback) {
                     return next(errors.NoSuchBucket);
                 }
                 if (!isBucketAuthorized(bucketMD, 'objectDelete', canonicalID, authInfo, log, request,
-                    request.actionImplicitDenies)) {
+                    false)) {
                     log.trace("access denied due to bucket acl's");
                     // if access denied at the bucket level, no access for
                     // any of the objects so all results will be error results