rgw: fix policy enforcement for GetObjectAttributes

author Matt Benjamin <mbenjamin@redhat.com>

Mon, 8 Sep 2025 20:26:26 +0000 (16:26 -0400)

committer Thomas Serlin <tserlin@redhat.com>

Mon, 22 Sep 2025 19:18:18 +0000 (15:18 -0400)
author Matt Benjamin <mbenjamin@redhat.com>
Mon, 8 Sep 2025 20:26:26 +0000 (16:26 -0400)
committer Thomas Serlin <tserlin@redhat.com>
Mon, 22 Sep 2025 19:18:18 +0000 (15:18 -0400)
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc

index 93c5d17934e3fd33ba71b9410152acbe832788a5..92167f2158339077f48b8905fd6e4a13e49cebf7 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -6490,10 +6490,7 @@ int RGWGetObjAttrs::verify_permission(optional_yield y)
        rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag);
      }
  
-    /* XXXX the following conjunction should be &&--but iam_action2 is currently not
-     * hooked up and always fails (but should succeed if the requestor has READ
-     * acess to the object) */
-    perm = (verify_object_permission(this, s, iam_action1) || /* && */
+    perm = (verify_object_permission(this, s, iam_action1) &&
             verify_object_permission(this, s, iam_action2));
    }
  
diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h

index ba2f1a7663f973f22274a2f3d0fe0990687bb229..ff22778a36d822c1cd8a2fe73705702b0197b543 100644 (file)
--- a/src/rgw/rgw_op.h
+++ b/src/rgw/rgw_op.h
@@ -2111,7 +2111,6 @@ public:
    }
  };
  
-
  class RGWDeleteMultiObj : public RGWOp {
    /**
     * Handles the deletion of an individual object and uses
author	Matt Benjamin <mbenjamin@redhat.com>
	Mon, 8 Sep 2025 20:26:26 +0000 (16:26 -0400)
committer	Thomas Serlin <tserlin@redhat.com>
	Mon, 22 Sep 2025 19:18:18 +0000 (15:18 -0400)
src/rgw/rgw_op.cc		patch \| blob \| history
src/rgw/rgw_op.h		patch \| blob \| history